Ransomware targets remote management interfaces

2 May 2018
Man looking at a computer screen
Attackers are targeting management processors built into certain HP servers.

 

The Department of Health and Human Services has been made aware of attackers targeting management processors built into certain HP servers that allow administrators to remotely manage the device. HP servers include, but are not limited to, HPE iLO 4 or HPE Integrated Lights-Out remote management interfaces.

Administrators connect to the server using a web browser or mobile app, where they are greeted with a login page. However, this time the administrator is greeted with a login page that contains a "Security Notice" stating that the computer's hard drives are encrypted and that the owners must pay a ransom to get their data back. A demand for two bitcoins and advice that they will provide a bitcoin address for payment follows.

Impact

Your server may be wiped or act as a decoy for another attack.

Action

If your organisation is using a HP server with a built-in management processor, please contact your HP vendor for further remediation.

Prevention

Use a secure VPN to connect to your server remotely. NEVER connect an iLO device directly to the Internet.