Published on February 16th, 2021 📆 | 3945 Views ⚑0
France Ties 3-Year Hacking Campaign to Russia’s Sandworm
Cyberwarfare / Nation-State Attacks
Unpatched, Open Source Versions of Centreon IT Monitoring Tool Hacked, CERT-FR Says
Mathew J. Schwartz (euroinfosec) •
February 16, 2021
French cybersecurity authorities are warning that widely used, open source IT monitoring software called Centreon appears to have been targeted by Russian hackers. But unlike the SolarWinds supply chain attack, in this campaign, attackers appear to have hacked outdated, unpatched versions of the software.See Also: 5 Ways to Improve Asset Inventory and Management Using Ordr
The Centreon open source IT network monitoring tool is developed by the Paris-based company of the same name.
The National Cybersecurity Agency of France, known as ANSSI, says that the campaign has resulted in breach of at least several French organizations for a period of up to three years.
“This campaign mostly affected IT service providers, especially web hosting providers,” according to a security alert issued Monday by ANSSI’s CERT-FR, which is the French government’s computer emergency readiness team. The alert includes indicators of compromise that all organizations can use to help detect and block similar attacks.
Centreon also sells a commercial version of the tool, which is not the focus of the alert.
A spokesman for Centreon tells Information Security Media Group that the open source version targeted by attackers appears to be a version of the software that dates from 2014 or 2015. “So that’s something quite striking here – that the users had not updated their versions.”
Hacked versions of the software also had “non-Centreon-designed files” added to the installations, the spokesman says, adding that the victims also appeared to have configured the system running the monitoring software for remote access, without appropriate safeguards. “This is against the recommendations of the industry and Centreon itself; we recommend to only use a VPN.”
The Centreon spokesman says no commercial clients were hit by this malware or breach. “We also recommend that users respect these recommendations at all times: update their versions; if you do not use commercial versions, then use security software in addition to your open source software; and do not do monitoring with internet access to that system enabled.”
German cyber espionage expert Timo Steffens likewise says that based on ANSSI’s alert, the Centreon-targeting campaign appears to have targeted unpatched systems, rather than sneaking malware into the organization’s software development pipeline. That latter tactic has been tied to last year’s nine-month SolarWinds supply chain attack, in which suspected Russian espionage hackers apparently snuck their “Sunburst” backdoor code into the company’s software development pipeline, after which it was installed by up to 18,000 users.
Sandworm has been using webshells and the Linux version of the backdoor Exaramel against French entities undetected for more than three years.Initial attack vector is unclear, but malware was found on servers running Centreon (vulnerability more likely than supply-chain). https://t.co/ieUYV57hCF— Timo Steffens (@Timo_Steffens) February 15, 2021
Hackers Dropped Webshell
A 40-page report in French, released Monday by ANSSI, although dated Jan. 27, further describes the attack campaign and countermeasures.
Authorities say the first known victim of the Centreon-targeting campaign was compromised in late 2017, and that the campaign ran until last year, when it was discovered. CERT-FR says malware discovered on systems inside affected organizations has been seen before, including malicious Linux code that’s been dubbed Exaramel by security firm ESET.
“On compromised systems, ANSSI discovered the presence of a backdoor in the form of a webshell dropped on several Centreon servers exposed to the internet,” CERT-FR says. “This backdoor was identified as being the PAS webshell, version number 3.1.4. On the same servers, ANSSI found another backdoor identical to one described by ESET and named Exaramel.”
The alert adds: “This campaign bears several similarities with previous campaigns attributed to the intrusion set named Sandworm.”
Finding malware that has previously been used by attackers is insufficient to attribute any further use of that malware to the same group of attackers. But ANSSI’s naming of Sandworm is an indication that it suspects the group was, in fact, involved.
Persistent, Remote Access
The PAS webshell has previously been used by alleged Russian attackers, as ESET and other security firms have detailed – for example, as part of the Grizzly Steppe APT campaign that employed BlackEnergy and other malware.
“The PAS web shell is in the category of full-featured PHP web shells that are used by attackers after initial exploitation in order to maintain persistent access to a compromised web portal,” according to the SpiderLabs research team at security firm Trustwave.
Packet trace showing a TCP reverse_connect backdoor communication tied to an apparent PAS webshell infection previously investigated by Trustwave (Source: Trustwave SpiderLabs)
Russia’s Sandworm Hacking
Sandworm is a Russian government hacking team with a penchant for destructive attacks, that’s part of the GRU military intelligence agency. GRU Unit 74455, as it’s officially known, is also called TeleBots, Voodoo Bear and Iron Viking by security researchers.
Alleged Russian GRU – aka Sandworm – agents indicted in October 2020 (left to right, top row first): Yuriy Andrienko, Sergey Detistov, Pavel Frolov, Anatoliy Kovalev, Artem Ochichenko and Petr Pliskin. (Source: U.S. Justice Department)
In a federal indictment unsealed in October 2020, U.S. authorities accused members of GRU Unit 74455 of being directly involved in numerous attacks, including the 2017 NotPetya fake ransomware attack, attempts to disrupt both the 2018 Winter Olympics and 2020 Summer Olympics, as well as attacks against organizations investigating Russia’s 2018 Novichok attack on British soil
Russian authorities dismissed those allegations as an attempt to smear Moscow.
originally appeared on Source link