A sophisticated cyber operation, attributed to the Russia-linked hacking group Sandworm, has reportedly targeted several French entities over a three-year span by exploiting vulnerabilities in an IT monitoring tool known as Centreon. The French information security agency ANSSI revealed that this campaign began in late 2017 and extended through 2020, with notable impacts on web-hosting providers.
ANSSI’s advisory detailed significant findings from compromised systems, where investigators discovered a backdoor in the form of a web shell, identified as the PAS web shell version 3.1.4. In addition, a second backdoor, previously associated with the group by cybersecurity firm ESET, named Exaramel, was also found on the affected Centreon servers. Such malware indicates a targeted approach, leveraging known vulnerabilities in Centreon’s software architecture.
The Sandworm group, also known as APT28 or various other aliases, has been implicated in some of the most severe cyber incidents in recent history, including attacks on Ukraine’s power grid in 2016 and the NotPetya ransomware outbreak in 2017. This latest campaign illustrates a continuing trend of state-sponsored cyber activities designed to compromise critical infrastructure and sensitive organizations.
While the exact method of initial access remains unclear, the attack leveraged compromised network environments running Centreon, a software developed by a French company for application and network monitoring. Since its founding in 2005, Centreon has attracted a diverse clientele, including high-profile entities such as Airbus and Sanofi. However, the agency did not disclose the precise number or identity of victims affected by this targeted campaign.
Central to ANSSI’s investigation was confirmation that the backdoor malware had been uploaded to servers running the CENTOS operating system. The presence of PAS and Exaramel web shells underscores the advanced capabilities of the threat actors, as PAS allows for comprehensive file operations, SQL database interactions, and brute-force attacks, while Exaramel serves as a remote administration tool capable of executing shell commands and transferring files.
In tandem with the malware discovery, ANSSI identified a reliance on common VPN services by the perpetrators to access web shells. Correlations in command-and-control architecture further solidified the connection to Sandworm’s ongoing operations. Such tactics fit within the MITRE ATT&CK framework, suggesting adversarial methods including initial access through compromised credentials, persistence through the deployment of web shells, and privilege escalation via unauthorized remote administration tools.
This incident highlights a concerning trend for cybersecurity in the enterprise sector, as monitoring systems like Centreon have become appealing targets for malicious actors seeking to establish footholds within victim networks. Unlike the SolarWinds supply chain incident, these attacks appear to have utilized exposed internet-facing servers hosting Centreon, rather than compromising the supply chain itself.
In light of these developments, ANSSI advises immediate updating of applications to address known vulnerabilities and cautions against exposing such tools directly to the internet. The agency stresses the importance of implementing robust authentication measures to protect web interfaces from unauthorized access.
In a press release, Centreon clarified that the attacks exclusively targeted outdated versions of its open-source software that have not been actively supported for multiple years, asserting that only a limited number of entities were impacted. The company emphasized that the nature of the campaign does not align with traditional supply chain breaches, distinguishing it from other notable cyber incidents.
As organizations increasingly grapple with the complexity of cybersecurity threats, monitoring systems and associated vulnerabilities must remain a focal point in defense strategies. Business owners should take heed of ANSSI’s alerts and consider reevaluating their cybersecurity policies to fortify against such stealthy and sophisticated attacks.
