Sandworm Hackers Discovered Exploiting Centreon Servers carderone, mafug
The renowned Russian military hackers Sandworm have been penciled out by France authorities for exploiting the Centreon IT monitoring tool.
According to the report, the hackers have been exploiting this tool undetected since 2017. “The first victim seems to have been compromised from late 2017,” the report pointed out.
Sandworm had previously been linked with other hacking incidences, including light outages in Ukraine and the exploitation using NotPeva, the most potent malware in the cybercrime world.
The French Information security agency (ANSSI) made this revelation on Monday after publishing an advisory to warn organizations.
The agency revealed that the attack victims are generally IT firms, but web hosting companies in particular.
Although the initial attack vector is not yet known, the Centreon company application was tied to the breach of the victim’s networks.
The application was launched in 2005 by the company bearing the same name. It has numerous customers, including PWC Russia, New Zealand Police, Finance Ministry of Justice, Luxottica, Air Caraibes, as well as Airbus.
The report didn’t specify how many organizations or which organization was breached through the software hack.
But according to the report, the compromised servers ran the CENTOS operating system. The agency said it discovered it on two different malware types – one known as Exaramel previously used by Sandworm, and another publicly available webshell known as PAS.
The Sandworm group has been using the Exaramel malware since 2018 for various attacks, the report revealed.
The webshell has features that enable it to carry a lot of activities individually and simultaneously. It can run arbitrary PHP commands, create a reverse shell, interact with SQL databases, search the file system, handle file operations, and perform brute force password attacks against MySQL, POP3, FTP, and SSH.
ANSSI said the campaign is executed by the Sandworm group has a similar focus on their previous attacks, which makes it obvious the group is responsible for this.
Generally, Sandworm is renowned for leading consequent intrusion campaigns before settling for specific targets that match its interest.
The report also revealed that the threat actors utilized commercial and public VPNs to communicate with backdoors, as it lists lots of providers and legitimate tools to aid exploit.
To help security researchers identify the attacking methods of Sandworm, AANSI has provided a document with YARA and SNORT rules as well as other breach indicators.
Additionally, the agency has provided an advisory for organizations to improve their security and protection against Sandworm and other APT groups. According to AANSI, the organizations should reduce the exposure of monitoring systems, improve server hardening, and improve patch management.
Monitoring systems like Centreon are always targeted by cybercriminals. As a result, they should be highly intertwined with the monitored information system. to improve their security against intrusion.
The recommendation is not to get the tools’ web interfaces exposed to the internet or to use non-applicative authentication to restrict access.
ANSSI revealed that the threat actors were able to succeed in their attack because the Centreon system was connected to the internet. At the moment, it’s not known whether the attackers guessed passwords for admin accounts or exploited the vulnerability in the Centurion software.
Although it’s clear what the Sandworm hackers have as their goal for staying in the French hacking campaign, there is always an alarm whenever Sandworm is involved in an intrusion. This is because of the history of the threat actors, who have used some of the most sophisticated tools to compromise systems.
Joe Slowik, a security researcher at cybersecurity firm DomainTools, stated that “Sandworm is linked with destructive ops.”
One of the most notorious attacks by Sandworm was the NotPetya worm attack, which caused organizations to lose $10 billion.