The French information/data security organization ANSSI in a warning explained that this crusade, which is responsible for penetrating a lot of French organizations, is believed to be initiated in late 2017 and gone on until 2020, with the assaults especially affecting web-hosting service providers.
The information security organization stated that “on compromised systems, ANSSI discovered the presence of a backdoor in the form of a web shell dropped on several Centreon servers exposed to the internet. This backdoor was identified as being the PAS web shell, version number 3.1.4. On the same servers, ANSSI found another backdoor identical to one described by ESET and named Exaramel.”
The responsible Russian group of hackers, which is additionally called APT28, TeleBots, Voodoo Bear, and Iron Viking, is supposed to be behind probably the most destroying cyberattacks in past years, including Ukraine’s power grid in 2016, the NotPetya ransomware outbreak in 2017, and the Pyeongchang Winter Olympics of 2018.
The underlying assault vector appears to be obscure at this point, the compromising of casualty networks was attached to Centreon, which is an application and the network monitoring software created by a French organization with a similar name.
Centreon was established in 2005 and has clients involving Airbus, Air Caraïbes, ArcelorMittal, BT, Luxottica, Kuehne + Nagel, Ministère de la Justice français, New Zealand Police, PWC Russia, Salomon, Sanofi, and Sephora. It hasn’t been made clear what number of or which organizations were penetrated through the software hack.
ANSSI said that the servers that were compromised ran the CENTOS operating system and also that it has discovered two different types of malware. One is an openly accessible webshell called PAS, and the other is known as Exaramel which was utilized by Sandworm in past assaults since 2018.
The web shell comes outfitted with highlights to deal with file operations, search the file system, interact with SQL databases, carry out brute-force password assaults against SSH, FTP, POP3, and MySQL, make a reverse shell, and run arbitrary PHP commands.
Exaramel works as a remote organization apparatus equipped for shell command execution and duplicating records, forward and backward between an assailant-controlled worker and the tainted framework. It likewise communicates utilizing HTTPS with its command-and-control (C2) server to recover a rundown of commands to run.
Furthermore, ANSSI’s examination uncovered the utilization of regular VPN services to connect with web shells, with covers in C2 infrastructure associating the incident to Sandworm.
Researchers explained that “The intrusion set Sandworm is known to lead consequent intrusion campaigns before focusing on specific targets that fit its strategic interests within the victim’s pool. The campaign observed by ANSSI fits this behavior.”
Considering the SolarWinds supply-chain assault, it should not shock anyone that monitoring frameworks, for example, Centreon have become a rewarding objective for cybercriminals to acquire traction and laterally get across casualty conditions. Yet, dissimilar to the previous’ supply chain compromise, the recently unveiled assaults vary in that they seem to have been completed by utilizing web confronting servers running Centreon inside the casualties’ networks.
“It is therefore recommended to update applications as soon as vulnerabilities are public and corrective patches are issued,” ANSSI warned. “It is recommended either not to expose these tools’ web interfaces to [the] Internet or to restrict such access using non-applicative authentication.”