.png)
Unknown hackers – possibly the Sandworm APT – have been compromising enterprise servers running the Centreon monitoring software for over three years, the French National Cybersecurity Agency (ANSSI) has shared on Monday.
The intrusion campaign resulted in the breach of several French entities, the agency said. The attackers mostly went after IT providers, and particularly web hosting providers.
Attack details
The hackers exploited public-facing Centreon installations to gain access to the underlying system (servers running the CentOS operating system), and used that access to spread laterally through the target organizations’ networks.
“The initial compromise method is not known,” ANSSI analysts noted.
Once on them, the hackers would equip the compromised Centreon servers with previously known malware: the P.A.S. (aka Fobushell) webshell and the Exaramel (Linux) backdoor.
The P.A.S. webshell:
- Uses encryption to make analysis difficult and enforce an access control when deployed on a compromised host
- Is able to list files, interact with them, create and upload new files
- Allows attackers to perform specific searches
- Is able to interact with SQL databases
- Can create a bind shell with a listening port, a reverse shell with a distant address as a parameter, and run a network scan in order to find open ports and listening services on a machine
- Can attempt to brute force SSH, FTP, POP3, MySQL, MSSQL and PostgreSQL services
- Can collect info on the compromise host
The Exaramel backdoor is a remote administration tool that encrypts its communication with the C&C server, from which it receives the list of tasks it is supposed to run (delete and update itself, files from the C&C server to the compromised host and vice versa, run shell commands, produce reports, etc.). Depending of the running environment, it employs different persistence tactics.
Links to Sandworm APT
ANSSI analysts have pointed out that the P.A.S. webshell has been previously used by alleged Russian government cyber actors in attacks targeting the 2016 U.S. elections, but that the malware was available for download to anyone. As such, it was accessible to multiple threat actors, they said, and can’t be tied to a specific one.
The Exaramel backdoor, on the other hand, has been analyzed by ESET researchers and they noted the similarities between it and the Industroyer malware that was used by the Telebots (aka Sandworm) attackers.
“Even if this tool can be easily reused, the Command and Control infrastructure was known by ANSSI to be controlled by the intrusion set [i.e., the threat actor],” they added.
“Generally speaking, the intrusion set Sandworm is known to lead consequent intrusion campaigns before focusing on specific targets that fits its strategic interests within the victims pool. The campaign observed by ANSSi fits this behaviour.”
The analysts advised administrators to keep their application patched, not to expose monitoring systems’ web interfaces to the internet or to restrict access to them, to harden the underlying systems/servers, and to export wen server logs and to store them for at least one year.
Additional technical information, detection methods and IoCs can be found here.
Was it a supply chain attack?
Though these attackers compromised monitoring software to breach organizations, there is no mention of whether this might be an instance of supply chain compromise such as the recent SolarWinds one.
“The first victim seems to have been compromised from late 2017. The campaign lasted until 2020,” ANSSI shared.
The agency did not identify the confirmed victims of this attack, but said that most were IT/web hosting providers. On the company website, Centreon boasts of high profile customers such as the French Ministry of Justice, the French departmental council of Haut-Rhin, several retail companies, telecoms, etc.
from Help Net Security https://ift.tt/37iLRrf
0 comments:
Post a Comment