A Known Vulnerability Could Help Cybercriminals Exploit HPE iLO 4

HPE iLO – or HP Enterprise Integrated Lights-Out – is a remote management tool that was built to help administrators control HP servers from anywhere in the world via browsers or a mobile app. We all know about remote administration Trojans (RATs), but, unfortunately, there are various other infections that can exploit remote access to servers or physical computers for different reasons. That being said, there aren’t many infections that target remote management systems to encrypt or wipe data and then demand humongous ransom fees. HPE iLO Ransomware might be a pioneer, but it already has managed to raise some panic. So, how does this threat work, and what does it want?

It has not been concluded yet how exactly HPE iLO Ransomware managed to attack servers, but it appears that everyone is looking at two well-known vulnerabilities, CVE-2013-4786 and CVE-2017-12542. Unlike Shrug Ransomware, Scarab-Bin Ransomware, and hundreds of other file-encryptors that target operating systems, such as Windows, HPE iLO Ransomware is fully focused on the HPE iLO system interfaces. Naturally, this malware is using different distribution techniques to the ones that are usually linked to “regular” file-encrypting, OS-targeting ransomware. This malware, most likely, makes its way in using brute force attacks using the mentioned vulnerabilities. The good news is, they have been patched – and a long time ago, at that – which means that most HPE iLO users should be safe.

Once it makes its way in, HPE iLO Ransomware quickly goes after the server’s drives. When cybercriminals take control, they enable the Login Security Banner and mount a remote ISO image. This image introduces the victim to what look like regular ransom demands. Then, the server is rebooted, and this is when data on the server can be messed with. If the server is rebooted again, remote access is denied, and the “No boot device found” error occurs. The ransom note used by HPE iLO Ransomware is delivered by reconfiguring iLO 4 Login Security Banner settings, and the message is intense. According to it, the “hard disk is encrypted using RSA asymmetric encryption,” and in order to restore data, a decryption key must be purchased.

Just like with most ransomware, paying attention to the ransom demands is a tricky thing. The bottom line is that cybercriminals cannot be forced to keep their end of the deal, and so if the victim chooses to pay the requested ransom, in most cases, they are left empty-handed. It appears that the victims of HPE iLO Ransomware receive personalized requests because the size of the ransom is revealed only after they email 15fd9ngtetwjtdc@yopmail.com. Along with the specific ransom, the creator of the infection also sends a Bitcoin wallet address, and the word on the street is that victims are introduced to unique addresses as well, which is not a common practice on the end of cybercriminals. In one case, an HPE iLO administrator dealing with HPE iLO Ransomware was requested a ransom of 2 BTC, or anywhere between $12,000-$15,000 (the conversion rates are subject to the time of reading).

Although it is stated that if the victim pays the ransom and applies a decryption key, the files would be recovered, there are concerns that, in fact, HPE iLO Ransomware wipes data, in which case, decryption is not even an option. That is the second reason paying the ransom is not recommended. Maybe it’s all just a decoy? After all, if cyber criminals can gain access to the administrator’s account, they could do even more damage; for example, gain full access to operating systems. If users set to connect HPE iLO devices only via secure VPN, many security issues can be evaded. If the interface can be reached with direct access over the Internet, the risk of unauthorized access raises dramatically.

So, what should be done to protect oneself against HPE iLO Ransomware? First and foremost, all updates must be installed to ensure that security vulnerabilities (including CVE-2013-4786 and CVE-2017-12542) are patched. It is especially important to patch CVE-2017-12542 as this vulnerability has been found to allow evading authentication in HPE iLO servers. It was found that anyone could make a cURL request and type “A” 29 times to, potentially, gain unauthorized access, which could be used to carry out other attacks. This vulnerability affects all HPE iLO 4 versions ending with 2.53 and before. This is why upgrading to the latest firmware is strongly recommended.