sandworm hacker attacked french centreon company

Sandworm hacker attacked French CENTREON company

Introduction

The French National Cyber ​​Security Agency (ANSSI) has linked the intrusion of French IT providers in the past four years with the Sandworm hacker group. On the infected system, ANSSI found a backdoor in the form of a webshell, which landed on several Centreon servers exposed to the Internet.

The backdoor is identified as PAS Webshell, version 3.1.4. On the same server, ANSSI found another backdoor identical to the one described by ESET and named it Exaramel .

sandworm exaramel execution flow

ANSSI cannot determine how the server was compromised. Therefore, it is not clear whether the exploited the vulnerability of the Centreon software or whether the victim suffered a supply chain attack. The most affected by this large-scale attack are information technology providers, especially web hosting providers.

ANSSI officials said that Sandworm attacks are mainly targeted at information technology providers, especially web hosting service providers. The first victim can be traced back to the end of 2017, and the hacking activity continued until 2020.
It is reported that the victim’s network is connected to Centreon. As an IT resource monitoring platform developed by the French CENTREON company, its function is similar to SolarWinds’ Orion platform.

sandworm hacker attacked french centreon company

ANSSI stated that the targeted the Centreon intermediate system connected to the Internet. As for whether Sandworm took advantage of the loopholes in the software or obtained the login credentials of the administrator account, it is currently unknown.

After the intrusion was successful, the installed a certain version of the PAS Web Shell and Exaramel backdoor Trojan. With the cooperation of these two pieces of malware, hackers are proud to take full control of the infected system and its adjacent networks. Considering the rather rare steps taken by the attackers, ANSSI correlated this incident with the advanced persistent threat action of Snadworm.

It is said that the Group previous actions include the power grid collapse that affected the entire from 2015 to 2016, the 2017 NotPetya ransomware outbreak, the 2018 Pyeongchang Winter Olympics opening ceremony, and the large-scale website destruction in Georgia in 2019.
ANSSI also warned and urged France and international organizations to check their Centreon installation packages for the presence of two types of PAS and Exaramel malware. If detected, it indicates that the company has been attacked by Sandworm in the past few years.

IOCs

176.31.225.204

webshell
84837778682450cdca43d1397afd2310
c69db1b120d21bd603f13006d87e817fed016667
893750547255b848a273bd1668e128a5e169011e79a7f5c7bb86cc5d7b2153bc

Linux/Exaramel
8eff45383a7a0c6e3ea6d526a599610d
f74ea45ad360c8ef8db13f8e975a5e0d42e58732
c39b4105e1b9da1a9cccb1dace730b1c146496c591ce0927fb035d48e9cb5c0f
92ef0aaf5f622b1253e5763f11a08857
a739f44390037b3d0a3942cd43d161a7c45fd7e7
e1ff729f45b587a5ebbc8a8a97a7923fc4ada14de4973704c9b4b89c50fd1146