Buzz
Although it hasn't been confirmed 100% if the hard drive is indeed encrypted. Ransomware targeting remote management interface HPE iLO incidents have been occurring since yesterday, affecting many victims.
HPE iLO 4, also known as HPE Integrated Lights-Out, is an integrated management processor in some HP servers, allowing Admins to manage devices remotely. Admins can connect to iLO through a web browser or mobile app, where a login page like the one below will be displayed:
Alert: Ransomware targeting remote management interface HPE iLO
After logging in, Admins can access logs, reboot servers, view server information, and even load remote console to the server, providing full access to the current operating system shell. For this reason, users should not directly connect iLO devices to the Internet, instead requiring access permissions through secure VPNs.
Ransomware HPE iLO 4
Today, security researcher M. Shahpasandi has posted a screenshot of the HPE iLO 4 login screen accompanied by a 'Security Notice' stating that the computer's hard drive has been encrypted and the owner must pay a ransom to retrieve their data.
This notification is added through the iLO 4 Login Security Banner configuration. This setting is located in Administration =>Security =>Login Security Banner as shown below.
Accordingly, the Login security banner has been modified to include messages from the attacker:
Currently, there have been 9 victims who have contacted the attacker. According to the email content received by the victims, they no longer have access to their data, indicating that the data has been encrypted in some way.
According to M. Shahpasan, the attacker demands victims to send 2 bitcoins to the address '19ujGd4zqwoHitT2D1hF3BVf73vYVCvxcm' to obtain the data decryption key, and no payments have been sent to this address yet.
It's worth noting that the attacker claims victims cannot negotiate the ransom amount unless they are victims in Russia. This is understandable as attackers based in Russia would avoid spreading malware to Russian users.
Typically, ransomware attacks will provide a unique ID for each victim to distinguish them from others. This prevents victims from stealing payment from another victim to obtain the decryption key for their computer data.
However, in this attack, no unique ID is provided and the email address is publicly accessible. The main target of this attack may be server wiping or it could be a decoy for another attack.
Never directly connect HPE iLO 4 to the Internet
It's advisable to access HPE iLO 4 tools through secure VPNs to prevent scanning and access by other users on the Internet.
The exposure risk of public iLO is much more complex than vulnerabilities in older versions, allowing attackers to bypass authentication, execute commands, and add new Admin accounts. Exploit scripts for these vulnerabilities are also readily available.
Now is the time to quickly get yourself some ransomware prevention software, details here: Top Ransomware protection software for computers
Searching for connected iLO interfaces is also significant. A quick search on Shodan shows over 5,000 iLO 4 devices connected to the Internet, many of which are known to be vulnerable.
If you're using iLO 4 on HP servers, and running an older version, it's best to upgrade to the latest version for use. Then, check the Admin accounts to determine if any new accounts have been created that you are unaware of. Finally, ensure your iLO IP address cannot be accessed over the Internet but only through VPN.
After a long wait, Google has updated Gmail with a host of new features and a completely fantastic new interface. If you haven't received this update yet, please wait a few more days.
