Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

French cybersecurity agency warns of intrusion campaign targeting Centreon

By Maria Henriquez
hack
February 18, 2021

ANSSI, the French cybersecurity agency, has reported an intrusion campaign targeting the monitoring software Centreon distributed by the French company CENTREON which resulted in the breach of several French entities. The first victim seems to have been compromised from late 2017. The campaign lasted until 2020.

This campaign mostly affected information technology providers, especially web hosting providers. On compromised systems, ANSSI discovered the presence of a backdoor in the form of a webshell dropped on several Centreon servers exposed to the internet. This backdoor was identified as being the P.A.S. webshell, version number 3.1.4.

On the same servers, ANSSI found another backdoor identical to one described by ESET and named Exaramel. This campaign bears several similarities with previous campaigns attributed to the intrusion set named Sandworm. "Generally speaking, the intrusion set Sandworm is known to lead consequent intrusion campaigns before focusing on specific targets that fits its strategic interests within the victims pool. The campaign observed by ANSSI fits this behavior."

In a report, ANSSI provides recommendations and detection methods, as well as technical information detailing this campaign: targeted systems, detailed malwares code analysis, infrastructure, tactics, techniques, and procedures and link with the intrusion set Sandworm. 

According to Bloomberg, a spokesman for the Russian government, Dmitry Peskov, says suggestions that the attack was connected to Russia are "absurd. Russia did not have, does not have and cannot have any involvement in any cybercrime."

On its website, Centreon lists customers such as Airbus, Agence France Press, Euronews, Orange, Lacoste, Sephora, ArcelorMittal, Total, SoftBank, Air France KLM, and several French government agencies and city governments. 

The French company confirmed the hack later on, saying no Centreon customers were impacted. "According to discussions over the past 24 hours with ANSSI, only about fifteen entities were the target of this campaign, and that they are all users of an obsolete open source version (v2.5.2), which has been unsupported for 5 years."

Brandon Hoffman, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based provider of IT, cloud, and cybersecurity operations and services, says, “The targeting of Centreon software as an intrusion point into organizations feels very much like the SolarWinds issue of late. Tying this back to Russia also provides strong correlation that third party software vendors have been a primary attack vector for Russian agencies spanning the past couple of years. The fact that both of these attacks, SolarWinds and Centreon went undetected for so long speaks to the importance of strengthening third party security concerns as well as deeper reviews of detection measures. In both cases there was re-use of malware that was previously known. Meaning even if the initial vector was novel, at some point the detection tools and methodologies should have picked something up, especially over YEARS of adversaries being resident on systems.”

Oleg Kolesnikov, VP of Threat Research at Securonix, on the other hand, says, “It’s tempting to compare the Centreon and SolarWinds attacks since both are similar in functionality, but Centreon seems to be a victim of internet-exposed systems rather than a supply chain breach. What’s telling is how the attackers used the P.A.S. web shell and Exaramel backdoor to take control over the Centreon system and its adjacent network. We’ve seen a spike in the past year with attack techniques that find ways to blend in with legitimate enterprise activity, including both applications and user activity, and network activity associated with privacy-protected protocols and technologies, to evade both network-based and endpoint-based defenses more effectively. The fact that this attack stayed undetected for so long goes to show the importance of incorporating the ‘Watching the watchers’ approach as part of your detection-in-depth security defense strategy as well as the danger and the reality that there are likely many more of these latent threats in our networks yet to be uncovered than those we know about."

Dirk Schrader, Global Vice President at New Net Technologies (NNT), a Naples, Fla.-based provider of cybersecurity and compliance software, explains, “Given that the attacks started back in 2017, it seems fair to assume that this one is a predecessor, an earlier version of what happened to SolarWinds, testing the idea of an upstream attack. But there are also differences as the attackers were targeting outdated versions of the solution, no longer supported by the company Centreon. That puts the 15 victims into the spotlight as well, as they missed to follow up on recommended cyber hygiene, given that the likely candidates used for the initial access are vulnerabilities known since 2014 (CVE-2014-3829 and CVE-2014-3828).  This incident should also be seen as a reminder that having essential controls in place will help an organization to detect unwanted change like the dropping of webshell. In addition, device and application hardening guidelines like those published by CIS, can be a good defense, especially when monitored in an automated fashion.”

Andrew Barratt, Managing Principal, Solutions and Investigations at Coalfire, a Westminster, Colo.-based provider of cybersecurity advisory services, notes, “We’ve seen similar campaigns to this on a smaller level, targeting specific industry segments like retail and hospitality. Typically these have been crime-orientated with a focus on payment data or personal information. Whilst the U.S. political angst with Russia is well known, central Europe has typically been much more pro- Russia than the U.S. Germany has made signals towards supporting Russian gas pipelines whereas Macron’s position for France is more aligned with US foreign policy and not to increase reliance on Russian gas."

Barratt adds, "These style of attacks show just how vulnerable everyone is to attacks on vendors whose software requires routine patching and software updates. There is an inherent challenge with analyzing these as in many cases our software vendors typically are heavily trusted. Longer term it may well require additional verification signatures to be used – the challenge with this is that if the intruders are already manipulating source code, they may well evade the signature process too. What it does show is the real need for more advanced threat modelling as part of security testing rather than a vanilla ‘can someone break in’ mentality.”

According to Douglas Murray, CEO at Valtix, a Santa Clara, Calif.-based provider of cloud native network security services, "hackers are clearly targeting software products that enterprises use and this is a trend that is only accelerating. We are seeing customers bringing in services in response to events such as Centreon Sandworm, and to solve for pain associated with new threat vectors. The key lies in a defense in depth approach of automating security that makes it much more challenging for attackers who are currently pivoting on one-off exploits.”

"DevOps teams for software providers must take a serious look at their security practices in order to avoid a supply chain hack. IT security teams need to secure their infrastructure and networks through cyber hygiene best practice and vulnerability remediation," suggests Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber.

KEYWORDS: cyber security hackers information security risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Maria Henriquez is a former Associate Editor of Security. She covered topics including cybersecurity and physical security, risk management and more.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security camera

40,000 IoT Security Cameras Are Exposed Online

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • phishing freepik

    Microsoft warns of Russian Nobelium phishing campaign

    See More
  • Hacktivist

    CISA warns APT groups targeting US think tanks

    See More
  • Been Hacked? Let That Be a Lesson to You

    Global phishing campaign targeting the COVID-19 vaccine cold chain

    See More

Related Products

See More Products
  • 9780367259044.jpg

    Understanding Homeland Security: Foundations of Security Policy

  • 9780367221942.jpg

    From Visual Surveillance to Internet of Things: Technology and Applications

  • Security of Information and Communication Networks

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing