16 February 2021

Sandworm hackers targeted Centreon servers in three-year campaign


Sandworm hackers targeted Centreon servers in three-year campaign

France's national cyber security agency is warning of a series of attacks that targeted French entities running the Centreon IT monitoring software.

Centreon is a software developed by the software vendor Centreon. It is used to monitor applications, networks and systems.

The attacks have been detailed in a new report released by Agence Nationale de la Sécurité des Systèmes d'Information, also known by its French acronym ANSSI. According to the cybersecurity agency, the campaign, which lasted from late 2017 until 2020, mostly affected information technology providers, especially web hosting providers.

ANSSI said it found a backdoor in the form of a webshell installed on several Linux servers running the CentOS operating system exposed to the internet. The backdoor was identified as being the P.A.S. webshell, version number 3.1.4. Additionally, another backdoor known as Exaramel was discovered on the same servers. These malware strains allowed attackers to take full control over the compromised system.

Currently, it is not clear, how the hackers managed to compromise servers in the first place.

The security agency linked these attacks to the Sandworm APT believed to be working on behalf of the Russian government based on some similarities between this campaign and past intrusions conducted by the group.

In the observed campaign the hackers used two infrastructure clusters: common VPN services used to connect to the webshell, and a separate set of command and control servers.

“Generally speaking, the intrusion set Sandworm is known to lead consequent intrusion campaigns before focusing on specific targets that fits its strategic interests within the victims pool. The campaign observed by ANSSI fits this behaviour,” the agency said.

ANSSI also provided a separate advisory with SNORT and YARA rules and other indicators of compromise (IOCs) to help cybersecurity professionals detect malicious Sandworm activity.

Back to the list

Latest Posts

Researchers discover connection between SunCrypt and QNAPCrypt ransomware

Researchers discover connection between SunCrypt and QNAPCrypt ransomware

SunCrypt may be an updated version of the QNAPCrypt ransomware.
4 March 2021
Cybersecurity firm Qualys appears to be the latest victim of Accellion FTA zero-day attacks

Cybersecurity firm Qualys appears to be the latest victim of Accellion FTA zero-day attacks

The cybercriminals behind the Clop ransomware operation have posted screenshots of files allegedly stolen from Qualys on their leak site.
4 March 2021
CISA orders federal agencies to ‘immediately’ patch Exchange flaws exploited by hackers

CISA orders federal agencies to ‘immediately’ patch Exchange flaws exploited by hackers

Several APT groups are exploiting "at least" the CVE-2021-26855 Microsoft Exchange Server vulnerability as part of ongoing attacks, ESET says.
4 March 2021