sandworm hacker attacked french centreon company

Sandworm hacker attacked French CENTREON company


The French National Cyber ​​Security Agency (ANSSI) has linked the intrusion of French IT providers in the past four years with the Sandworm hacker group. On the infected system, ANSSI found a backdoor in the form of a webshell, which landed on several Centreon servers exposed to the Internet.

The backdoor is identified as PAS Webshell, version 3.1.4. On the same server, ANSSI found another backdoor identical to the one described by ESET and named it Exaramel .

sandworm exaramel execution flow

ANSSI cannot determine how the server was compromised. Therefore, it is not clear whether the exploited the vulnerability of the Centreon software or whether the victim suffered a supply chain attack. The most affected by this large-scale attack are information technology providers, especially web hosting providers.

ANSSI officials said that Sandworm attacks are mainly targeted at information technology providers, especially web hosting service providers. The first victim can be traced back to the end of 2017, and the hacking activity continued until 2020.
It is reported that the victim’s network is connected to Centreon. As an IT resource monitoring platform developed by the French CENTREON company, its function is similar to SolarWinds’ Orion platform.

sandworm hacker attacked french centreon company

ANSSI stated that the targeted the Centreon intermediate system connected to the Internet. As for whether Sandworm took advantage of the loopholes in the software or obtained the login credentials of the administrator account, it is currently unknown.

After the intrusion was successful, the installed a certain version of the PAS Web Shell and Exaramel backdoor Trojan. With the cooperation of these two pieces of malware, hackers are proud to take full control of the infected system and its adjacent networks. Considering the rather rare steps taken by the attackers, ANSSI correlated this incident with the advanced persistent threat action of Snadworm.

It is said that the Group previous actions include the power grid collapse that affected the entire from 2015 to 2016, the 2017 NotPetya ransomware outbreak, the 2018 Pyeongchang Winter Olympics opening ceremony, and the large-scale website destruction in Georgia in 2019.
ANSSI also warned and urged France and international organizations to check their Centreon installation packages for the presence of two types of PAS and Exaramel malware. If detected, it indicates that the company has been attacked by Sandworm in the past few years.