Ilya Zuev – IPMI backdoor not with your own hands HD

Many people do not suspect that a customized Linux OS with SSH is used to remotely manage servers via IPMI (Supermicro, HP iLo, Dell DRAC, etc.) on a BMC module with its own processor, network card, RAM and FLASH memory. Advanced hackers like to use it for backdooring and tunneling, since these systems contain many vulnerabilities and in 90% of cases are not updated. Hackers can live there for years and go unnoticed. Do you know everything about your infrastructure? If you think that placing IPMI interfaces in isolated VLANs will save you, you are wrong. There is always a possibility that either the EO operator will connect the control interface to the wrong VLAN, or you will encounter another surprise – dedicated and failover modes, which are often set by default. In these modes, IPMI additionally translates its mac-addresses to regular network cards. You think that your server has only the IP addresses assigned in the OS, but in fact, the IP addresses of the IPMI fall into the production segments. I will talk about real cases of hacking IPMI modules, detecting malicious backdoors, methods of investigation and detecting indicators of compromise (IoC). All the materials are available on the ZeroNights X website.