Hackers exploited Centreon monitoring software to compromise IT providers

Unknown hackers – possibly the Sandworm APT – have been compromising enterprise servers running the Centreon monitoring software for over three years, the French National Cybersecurity Agency (ANSSI) has shared on Monday.

The intrusion campaign resulted in the breach of several French entities, the agency said. The attackers mostly went after IT providers, and particularly web hosting providers.

Attack details

The hackers exploited public-facing Centreon installations to gain access to the underlying system (servers running the CentOS operating system), and used that access to spread laterally through the target organizations’ networks.

“The initial compromise method is not known,” ANSSI analysts noted.

Once on them, the hackers would equip the compromised Centreon servers with previously known malware: the P.A.S. (aka Fobushell) web shell and the Exaramel (Linux) backdoor.

The P.A.S. web shell:

• Uses encryption to make analysis difficult and enforce an access control when deployed on a compromised host
• Is able to list files, interact with them, create and upload new files
• Allows attackers to perform specific searches
• Is able to interact with SQL databases
• Can create a bind shell with a listening port, a reverse shell with a distant address as a parameter, and run a network scan in order to find open ports and listening services on a machine
• Can attempt to brute force SSH, FTP, POP3, MySQL, MSSQL and PostgreSQL services
• Can collect info on the compromise host

The Exaramel backdoor is a remote administration tool that encrypts its communication with the C&C server, from which it receives the list of tasks it is supposed to run (delete and update itself, files from the C&C server to the compromised host and vice versa, run shell commands, produce reports, etc.). Depending of the running environment, it employs different persistence tactics.

Links to Sandworm APT

ANSSI analysts have pointed out that the P.A.S. web shell has been previously used by alleged Russian government cyber actors in attacks targeting the 2016 U.S. elections, but that the malware was available for download to anyone. As such, it was accessible to multiple threat actors, they said, and can’t be tied to a specific one.

The Exaramel backdoor, on the other hand, has been analyzed by ESET researchers and they noted the similarities between it and the Industroyer malware that was used by the Telebots (aka Sandworm) attackers.

“Even if this tool can be easily reused, the Command and Control infrastructure was known by ANSSI to be controlled by the intrusion set [i.e., the threat actor],” they added.

“Generally speaking, the intrusion set Sandworm is known to lead consequent intrusion campaigns before focusing on specific targets that fits its strategic interests within the victims pool. The campaign observed by ANSSi fits this behaviour.”

The analysts advised administrators to keep their application patched, not to expose monitoring systems’ web interfaces to the internet or to restrict access to them, to harden the underlying systems/servers, and to export wen server logs and to store them for at least one year.

Additional technical information, detection methods and IoCs can be found here.

Was it a supply chain attack?

Though these attackers compromised monitoring software to breach organizations, there is no mention of whether this might be an instance of supply chain compromise such as the recent SolarWinds one.

“The first victim seems to have been compromised from late 2017. The campaign lasted until 2020,” ANSSI shared.

The agency did not identify the confirmed victims of this attack, but said that most were IT/web hosting providers. On the company website, Centreon boasts of high profile customers such as the French Ministry of Justice, the French departmental council of Haut-Rhin, several retail companies, telecoms, etc.

UPDATE (February 17, 2021, 04:15 a.m. PT):

“The ANSSI report and our exchanges with them confirm that Centreon did not distribute or contribute to propagate malicious code. This is not a supply chain type attack and no parallel with other attacks of this type can be made in this case,” the company officially stated, and said that only about fifteen entities were the target of this campaign and none of those are their customer.

“The campaign described by ANSSI exclusively concerns obsolete versions of Centreon’s open source software. Indeed, the ANSSI specifies that the most recent version concerned by this campaign is version 2.5.2, released in November 2014. This version is not only no longer supported for more than 5 years, but has apparently also been deployed without respect for the security of servers and networks, including connections outside the entities concerned. Since this version, Centreon has released 8 major versions.”