1/9 The French National Cybersecurity Agency @ANSSI_FR released a report on Hades / Sandworm infecting Centreon servers with a PHP backdoor, followed by deploying the Exaramel Linux backdoor. Some notes:
2/9 Centreon is an IT monitoring software, created by a French company with the same name. Some customers include Accor Hotels, AirFrance / KLM, Airbus, Euronews, Orange and various French gov agencies. No indication any of these were breached.
3/9 The first compromise took place in 2017 and and the campaign lasted until 2020. Campaign mostly affected information technology providers, especially web hosting providers. Important: the initial compromise method is not known.
4/9 The attackers rely heavily on the P.A.S. webshell. This would commonly be deployed in the Centreon web server folder, eg "/usr/local/centreon/www/search.php" and created by the apache user. In addition to the webshell, attackers also deployed the Exaramel backdoor.
5/9 Exaramel is a multiplatform backdoor; Windows and Linux versions are known to exist. The Linux version is written in Golang. It was first reported by ESET in 2018. On infected systems, @ANSSI_FR found it was created by the apache user, same as the P.A.S. webshell.
6/9 Hades / Sandworm is the only known group that uses Exaramel. Exaramel has code similarities with the Industroyer main backdoor. The report does not include other public links to Hades / Sandworm.
7/9 To manage the backdoors, the attackers used TOR and several VPN services: PRIVATEINTERNETACCESS, EXPRESSVPN and VPNBOOK. They also used some undisclosed IPs that do not appear to be associated with known VPNs or TOR.
8/9 Although the @ANSSI_FR report makes it clear the infection vector is unknown, the details suggest the attackers were more likely exploiting a vulnerability in the Centreon software rather than a supply chain attack. This vulnerability may have been closed in 2020.
9/9 As usual, simple things, such as monitoring for new PHP files and executable, running Yara rules for known malware or antivirus software should catch these attacks.
Report and IOCs: https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-005/
You can follow @craiu.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.