Threat actors are targeting internet accessible HPE Integrated Lights-Out 4 (HPE iLO 4) remote management interfaces with ransomware or a decoy wiper in disguise.
While it’s unclear whether or not the hard drives are being encrypted, Bleeping Computer researchers said multiple victims have been affected by the attack which blocks users and demands 2 Bitcoin in order to access the data, according to an April 25 Bleeping Computer blog post.
UBCERT security researcher M. Shahpasandi tweeted a screenshot of the HPE iLO 4 login screen that contained a “Security Notice” ransom letter stating that the device’s hard drives were encrypted and that the owners had to pay to get them back. Several people have been targeted by the attacks since April 24.
The attackers provide a Bitcoin address that appears to be unique to each victim and researchers pointed out that the attackers explicitly state the ransom is non-negotiable unless the victims are from Russia.
It’s possible that attack is actually a decoy/wiper as opposed to an actual ransomware attack.
While most ransomware attacks typically provide a unique ID to the victim in order to distinguish between victims and prevent a victim from “stealing” another victim’s payment to unlock their own computer, no unique IDs are given to identify the encrypted computer.
“In a situation like this, where no unique ID is given to identify the encrypted computer and the email is publicly accessible, it could be a case where the main goal is to wipe a server or act as a decoy for another attack,” researchers said in the post.
Researchers warn that HPE iLO 4 should never be connected directly to the Internet but instead should only be accessible via secure VPNs in order to prevent them from being sought out and used by threat actors.
The risk is further compounded by known vulnerabilities in older versions that could allow an attacker to bypass authentication, execute commands, and add new administrator accounts.