Centreon monitoring software was exploited by hackers to compromise IT providers.
The French National Cybersecurity Agency (ANSSI) came up with an announcement that unknown hackers have compromised enterprise servers operating the Centreon monitoring software over a period of three years. The suspected criminal group behind the attack is the so-called Sandworm APT.
The agency revealed that the hacking campaign has led to several French entities being breached. The attackers have targeted mainly web hosting providers and other companies in the IT sector.
Details of the attack
The hackers used publicly accessible Centreon installations to access servers that run the CentOS system. Then, once they managed to enter the underlying systems, they used to distribute malware over the networks of the targeted organizations. ANSSI analysts noted that the original compromise method that has been used for the attack is yet to be revealed.
Once the hackers entered the compromised Centreon servers, they would infect them with the P.A.S web shell and the Exaramel (Linux) backdoor.
The security analysts have released an advisory for administrators where they recommend not to expose the monitoring system’s web interface to the internet, or restrict access to it. Also, they advised to harden the underlying systems/servers, as well as to export and store the server logs for at least a year. Keeping all installed applications patched is another security measure that should be applied.
The compromise on Centreon’s monitoring software reminds us much of the recent SolarWinds Orion’s software attack. However, it is not confirmed that this could be another instance of a supply chain compromise.
ANSSI shared that the first victim of Centreon’s software attack was compromised back in 2017. According to their information, the malicious campaign lasted until 2020.
The agency has not named publicly the identified victims of the attack but has noted that the majority of them were providers of IT/web hosting services. Centreon has high-profile customers on its website, including the French Ministry of Justice, the Haut-Rhin French Council Departmental, retail companies, and telecoms.
More details and information about the methods of detection and IoCs are available in the following link.