Malware News Ransomware Hits HPE iLO Remote Management Interfaces

[LASER_oneXM]

Content source

https://www.bleepingcomputer.com/news/security/ransomware-hits-hpe-ilo-remote-management-interfaces/

Attackers are targeting Internet accessible HPE iLO 4 remote management interfaces, supposedly encrypting the hard drives, and then demanding Bitcoins to get access to the data again. While it has not been 100% confirmed if the hard drives are actually being encrypted, we do know that multiple victims have been affected by this attack since yesterday.

HPE iLO 4, otherwise known as HPE Integrated Lights-Out, is a management processor built into certain HP servers that allow administrators to remotely administer the device. Administrators can connect to the iLO using a web browser or mobile app, where they will be greeted with a login page as shown below.
...
...
...

HPE iLO 4 should never be connected directly to the Internet

Exposing a remote administration tool like iLO 4 to the Internet is never a good thing to do. These tools should only be accessible via secure VPNs in order to prevent them from being scanned for and accessed by anyone on the Internet.

The danger of exposing iLO 4 to the public is further compounded when their are known vulnerabilities in older versions that would allow an attacker to bypass authentication, execute commands, and add new administrator accounts. Scripts that exploit these vulnerabilities are also readily available.

Finding connected iLO 4 devices is also trivial. A quick search on Shodan shows that over 5,000 iLO 4 devices are connected to the Internet, with many of them being known vulnerable versions.