IPMI backdoor not with your own hands
Many people do not suspect that a customized Linux OS with SSH is used to remotely manage servers via IPMI (Supermicro, HP iLo, Dell DRAC, etc.) on a BMC module with its own processor, network card, RAM and FLASH memory. Advanced hackers like to use it for backdooring and tunneling, since these systems contain many vulnerabilities and in 90% of cases are not updated. Hackers can live there for years and go unnoticed. Do you know everything about your infrastructure? If you think that placing IPMI interfaces in isolated VLANs will save you, you are wrong.
There is always a possibility that either the EO operator will connect the control interface to the wrong VLAN, or you will encounter another surprise – dedicated and failover modes, which are often set by default. In these modes, IPMI additionally translates its mac-addresses to regular network cards. You think that your server has only the IP addresses assigned in the OS, but in fact, the IP addresses of the IPMI fall into the production segments.
I will talk about real cases of hacking IPMI modules, detecting malicious backdoors, methods of investigation and detecting indicators of compromise (IoC).
CISO at Raiffeisenbank bank, TOP manager, playing coach. Former CISO of Rambler&Co and Okko. Graduated from MEPhI, Faculty of Information Security (B). He started his career as a network engineer at Net-by-Net, an information security administrator at Gazprombank. More than 5 years in the position of CISO, 20 years passionate about conducting comprehensive penetration testing.
Директор по информационной безопасности Райффайзенбанка, ТОП-менеджер, играющий тренер, ранее возглавлял Департамент кибербезопасности в онлайн-кинотеатре Okko и Rambler&Co. Окончил МИФИ, факультет Информационной безопасности (Б), начинал карьеру с сетевого инженера в Net-by-Net, администратора ИБ в Газпромбанке. Более 5 лет в должности CISO, 20 лет увлекается проведением комплексных тестов на проникновение.