ANSSI, the French cybersecurity agency, has reported an intrusion campaign targeting the monitoring software Centreon distributed by the French company CENTREON which resulted in the breach of several French entities. The first victim seems to have been compromised from late 2017. The campaign lasted until 2020.
This campaign mostly affected information technology providers, especially web hosting providers. On compromised systems, ANSSI discovered the presence of a backdoor in the form of a webshell dropped on several Centreon servers exposed to the internet. This backdoor was identified as being the P.A.S. webshell, version number 3.1.4.
On the same servers, ANSSI found another backdoor identical to one described by ESET and named Exaramel. This campaign bears several similarities with previous campaigns attributed to the intrusion set named Sandworm. "Generally speaking, the intrusion set Sandworm is known to lead consequent intrusion campaigns before focusing on specific targets that fits its strategic interests within the victims pool. The campaign observed by ANSSI fits this behavior."
In a report, ANSSI provides recommendations and detection methods, as well as technical information detailing this campaign: targeted systems, detailed malwares code analysis, infrastructure, tactics, techniques, and procedures and link with the intrusion set Sandworm.
According to Bloomberg, a spokesman for the Russian government, Dmitry Peskov, says suggestions that the attack was connected to Russia are "absurd. Russia did not have, does not have and cannot have any involvement in any cybercrime."
On its website, Centreon lists customers such as Airbus, Agence France Press, Euronews, Orange, Lacoste, Sephora, ArcelorMittal, Total, SoftBank, Air France KLM, and several French government agencies and city governments.
The French company confirmed the hack later on, saying no Centreon customers were impacted. "According to discussions over the past 24 hours with ANSSI, only about fifteen entities were the target of this campaign, and that they are all users of an obsolete open source version (v2.5.2), which has been unsupported for 5 years."
Brandon Hoffman, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based provider of IT, cloud, and cybersecurity operations and services, says, “The targeting of Centreon software as an intrusion point into organizations feels very much like the SolarWinds issue of late. Tying this back to Russia also provides strong correlation that third party software vendors have been a primary attack vector for Russian agencies spanning the past couple of years. The fact that both of these attacks, SolarWinds and Centreon went undetected for so long speaks to the importance of strengthening third party security concerns as well as deeper reviews of detection measures. In both cases there was re-use of malware that was previously known. Meaning even if the initial vector was novel, at some point the detection tools and methodologies should have picked something up, especially over YEARS of adversaries being resident on systems.”
Oleg Kolesnikov, VP of Threat Research at Securonix, on the other hand, says, “It’s tempting to compare the Centreon and SolarWinds attacks since both are similar in functionality, but Centreon seems to be a victim of internet-exposed systems rather than a supply chain breach. What’s telling is how the attackers used the P.A.S. web shell and Exaramel backdoor to take control over the Centreon system and its adjacent network. We’ve seen a spike in the past year with attack techniques that find ways to blend in with legitimate enterprise activity, including both applications and user activity, and network activity associated with privacy-protected protocols and technologies, to evade both network-based and endpoint-based defenses more effectively. The fact that this attack stayed undetected for so long goes to show the importance of incorporating the ‘Watching the watchers’ approach as part of your detection-in-depth security defense strategy as well as the danger and the reality that there are likely many more of these latent threats in our networks yet to be uncovered than those we know about."
Dirk Schrader, Global Vice President at New Net Technologies (NNT), a Naples, Fla.-based provider of cybersecurity and compliance software, explains, “Given that the attacks started back in 2017, it seems fair to assume that this one is a predecessor, an earlier version of what happened to SolarWinds, testing the idea of an upstream attack. But there are also differences as the attackers were targeting outdated versions of the solution, no longer supported by the company Centreon. That puts the 15 victims into the spotlight as well, as they missed to follow up on recommended cyber hygiene, given that the likely candidates used for the initial access are vulnerabilities known since 2014 (CVE-2014-3829 and CVE-2014-3828). This incident should also be seen as a reminder that having essential controls in place will help an organization to detect unwanted change like the dropping of webshell. In addition, device and application hardening guidelines like those published by CIS, can be a good defense, especially when monitored in an automated fashion.”
Andrew Barratt, Managing Principal, Solutions and Investigations at Coalfire, a Westminster, Colo.-based provider of cybersecurity advisory services, notes, “We’ve seen similar campaigns to this on a smaller level, targeting specific industry segments like retail and hospitality. Typically these have been crime-orientated with a focus on payment data or personal information. Whilst the U.S. political angst with Russia is well known, central Europe has typically been much more pro- Russia than the U.S. Germany has made signals towards supporting Russian gas pipelines whereas Macron’s position for France is more aligned with US foreign policy and not to increase reliance on Russian gas."
Barratt adds, "These style of attacks show just how vulnerable everyone is to attacks on vendors whose software requires routine patching and software updates. There is an inherent challenge with analyzing these as in many cases our software vendors typically are heavily trusted. Longer term it may well require additional verification signatures to be used – the challenge with this is that if the intruders are already manipulating source code, they may well evade the signature process too. What it does show is the real need for more advanced threat modelling as part of security testing rather than a vanilla ‘can someone break in’ mentality.”
According to Douglas Murray, CEO at Valtix, a Santa Clara, Calif.-based provider of cloud native network security services, "hackers are clearly targeting software products that enterprises use and this is a trend that is only accelerating. We are seeing customers bringing in services in response to events such as Centreon Sandworm, and to solve for pain associated with new threat vectors. The key lies in a defense in depth approach of automating security that makes it much more challenging for attackers who are currently pivoting on one-off exploits.”
"DevOps teams for software providers must take a serious look at their security practices in order to avoid a supply chain hack. IT security teams need to secure their infrastructure and networks through cyber hygiene best practice and vulnerability remediation," suggests Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber.