France agency ANSSI links Russia’s Sandworm APT to attacks on hosting providers

French agency ANSSI attributes a series of attacks targeting Centreon servers to the Russia-linked Sandworm APT group.

The French security agency ANSSI is warning of a series of attacks targeting Centreon monitoring software used by multiple French organizations and attributes them to the Russia-linked Sandworm APT group.

The first attack spotted by ANSSI experts dates back to the end of 2017 and the campaign continued until 2020. Threat actors mainly targeted IT service providers, particularly web hosting.

“ANSSI was informed of a campaign of compromise affecting several French entities. This campaign targeted Centreon monitoring software , published by the company of the same name.” reads the alert issued by the ANSSI.

“The first compromises identified by ANSSI date from the end of 2017 and continued until 2020. This campaign mainly affected IT service providers, particularly web hosting.”

Expert at the ANSSI observed that the threat actors deployed a webshell on the compromised Centreon servers that were exposed on the internet, along with a backdoor dubbed Exaramel first spotted by ESET researchers in 2018.

This backdoor is version 3.1.4. of the P.AS webshell, ANSSI researchers found many similarities between this campaign and previous campaigns conducted by the Sandworm modus operandi.

Sandworm (aka BlackEnergy and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).

The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017, causing billions worth of damage.

At the time of this writing it is not clear if the hackers exploited a vulnerability in the Centreon software.

According to the report published by the ANSSI, the attackers used two type of infrastructure:

• An Anonymization infrastructure that leverages VPN services to connect to webshells, including Tor network, EXpressVPN, PrivateInternetAccess (PIA), and VPNBook.
• Command and control infrastructure composed of dedicated servers to manage the implants. Some of these servers were under the control of the Sandworm APT group.

“Linux/Exaramel has already been analysed by ESET. They noted the similarities between this backdoor and Industroyer that was used by the intrusion set TeleBots, also known as Sandworm [7]. Even if this tool can be easily reused, the Command and Control infrastructure was known by ANSSI to be controlled by the intrusion set.” reads the report published by the French agency. “Generally speaking, the intrusion set Sandworm is known to lead consequent intrusion campaigns before focusing on specific targets that fits its strategic interests within the victims pool. The campaign observed by ANSSI fits this behaviour”

The ANSSI also provided indicators of compromise (IOCs) and Yara rules tp detect these attacks and determine if a system has been compromised.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ANSSI)

[adrotate banner=”5″]

[adrotate banner=”13″]