France's national cybersecurity agency ANSSI has disclosed details about an intrusion campaign targeting IT services firms that run the Centreon IT resource monitoring tool. The attacks, which have hit mainly web hosting providers based in France, are thought to have stayed under the radar for up to three years.
“On compromised systems, ANSSI discovered the presence of a backdoor in the form of a webshell dropped on several Centreon servers exposed to the internet. This backdoor was identified as being the P.A.S. webshell, version number 3.1.4. On the same servers, ANSSI found another backdoor identical to one described by ESET and named Exaramel,” said the agency.
Indeed, the latter was discovered and analyzed by ESET researchers in 2018. Exaramel is an upgrade of the backdoor that was at the heart of Industroyer, which caused an hour-long blackout in and around Ukraine’s capital, Kiev, in late 2016. However, ESET detected Exaramel at an organization that is not an industrial facility – similarly to ANSSI, after all. Both Exaramel and Industroyer are the work of the TeleBots (aka Sandworm) APT group, which also unleashed the NotPetya (aka DiskCoder.C) wiper disguised as ransomware in 2017. TeleBots is descended from BlackEnergy, a group whose eponymously named malware was responsible for a power outage that affected a quarter of a million homes in Ukraine in late 2015.
According to ANSSI, the initial attack vector and the purpose of the campaign against firms running Centreon are unclear. While different in nature, the attacks immediately caused concerns about being potentially as damaging as the sweeping SolarWinds hack.
Outdated and unpatched
Soon after the news broke, Centreon, the developer behind the eponymous monitoring tool, threw new light on the issue. The company stressed that the threat actor infiltrated 15 “entities”, but none from the ranks of its numerous customers, many of which are blue-chip companies.
Importantly, the campaign targeted versions of Centreon’s software that are five years past end-of-life and were used by open-source developers, said the firm. Additionally, contrary to the company's recommendations, the tools’ web interfaces were exposed to the internet.
The company denied that this was an example of a supply-chain attack and recommended that all users who still run one of the tool’s obsolete versions should update to a newer and supported version.