France Ties 3-Year Hacking Campaign to Russia's SandwormUnpatched, Open-Source Versions of Centreon IT Monitoring Tool Hacked, CERT-FR Says
French cybersecurity authorities are warning that widely used, open-source IT monitoring software called Centreon appears to have been targeted by Russian hackers. But unlike the SolarWinds supply chain attack, in this campaign, attackers appear to have hacked outdated, unpatched versions of the software.
The Centreon open-source IT network monitoring tool is developed by the Paris-based company of the same name.
The National Cybersecurity Agency of France, known as ANSSI, says that the campaign has resulted in the breach of at least several French organizations for a period of up to three years.
"This campaign mostly affected IT service providers, especially web hosting providers," according to a security alert issued Monday by ANSSI's CERT-FR, which is the French government's computer emergency readiness team. The alert includes indicators of compromise that all organizations can use to help detect and block similar attacks.
Centreon also sells a commercial version of the tool, which is not the focus of the alert.
A spokesman for Centreon tells Information Security Media Group that the open-source version the attackers targeted appears to date from 2014 or 2015. "So that's something quite striking here - that the users had not updated their versions."
Hacked versions of the software also had "non-Centreon-designed files" added to the installations, the spokesman says, adding that the victims also appeared to have configured the system running the monitoring software for remote access, without appropriate safeguards. "This is against the recommendations of the industry and Centreon itself; we recommend to only use a VPN."
The Centreon spokesman says no commercial clients were hit by this malware or breach. "We also recommend that users respect these recommendations at all times: update their versions; if you do not use commercial versions, then use security software in addition to your open source software; and do not do monitoring with internet access to that system enabled."
German cyberespionage expert Timo Steffens likewise says that based on ANSSI's alert, the Centreon-targeting campaign appears to have targeted unpatched systems, rather than sneaking malware into the organization's software development pipeline. That latter tactic has been tied to last year's SolarWinds supply chain attack, in which suspected Russian espionage hackers apparently sneaked their "Sunburst" backdoor code into the company's software development pipeline, after which it was installed by up to 18,000 users implementing updates.
Sandworm has been using webshells and the Linux version of the backdoor Exaramel against French entities undetected for more than three years.— Timo Steffens (@Timo_Steffens) February 15, 2021
Initial attack vector is unclear, but malware was found on servers running Centreon (vulnerability more likely than supply-chain). https://t.co/ieUYV57hCF
Hackers Dropped Webshell
A 40-page report in French, released Monday by ANSSI, although dated Jan. 27, further describes the attack campaign and countermeasures.
Authorities say the first known victim of the Centreon-targeting campaign was compromised in late 2017, and the campaign ran until last year, when it was discovered. CERT-FR says malware discovered on systems inside affected organizations has been seen before, including malicious Linux code that's been dubbed Exaramel by security firm ESET.
"On compromised systems, ANSSI discovered the presence of a backdoor in the form of a webshell dropped on several Centreon servers exposed to the internet," CERT-FR says. "This backdoor was identified as being the PAS webshell, version number 3.1.4. On the same servers, ANSSI found another backdoor identical to one described by ESET and named Exaramel."
The alert adds: "This campaign bears several similarities with previous campaigns attributed to the intrusion set named Sandworm."
Finding malware that has previously been used by attackers is insufficient to attribute any further use of that malware to the same group of attackers. But ANSSI's naming of Sandworm is an indication that it suspects the group was, in fact, involved.
Persistent, Remote Access
The PAS webshell has previously been used by alleged Russian attackers, for example, as part of the Grizzly Steppe APT campaign that employed BlackEnergy and other malware, ESET and other security firms have said.
"The PAS web shell is in the category of full-featured PHP web shells that are used by attackers after initial exploitation in order to maintain persistent access to a compromised web portal," according to the SpiderLabs research team at security firm Trustwave.
Russia's Sandworm Hacking
Sandworm is a Russian government hacking team with a penchant for destructive attacks that is part of the GRU military intelligence agency. GRU Unit 74455, as it's officially known, is also called TeleBots, Voodoo Bear and Iron Viking.
In a federal indictment unsealed in October 2020, U.S. authorities accused members of GRU Unit 74455 of being directly involved in numerous attacks, including the 2017 NotPetya fake ransomware attack, attempts to disrupt the 2018 Winter Olympics and 2020 Summer Olympics as well as attacks against organizations investigating Russia's 2018 Novichok attack on British soil.
Russian authorities dismissed those allegations as an attempt to smear Moscow.