Russian Hackers Infected Centreon Software With Malware To Target Businesses Worldwide | #RussianHacker

The French Cybersecurity Agency has issued a security advisory, stating that state-sponsored Russian hackers installed a malicious software in Centreon’s IT monitoring tool to target organizations worldwide. Centreon said the hackers targeted an obsolete open-source version of the software which hasn’t been supported for 5 years.

Earlier this week, French National Cybersecurity Agency (ANSSI) said that Centreon, a Paris-headquartered global IT monitoring solutions provider,  and its customers were targeted in a 4-years-long attack campaign perpetrated by state-sponsored Russian hackers. The attacks began in 2017 and involved malicious actors targeting Centreon’s flagship software which is used widely for IT resource monitoring.

According to ANSSI, the malicious hacking campaign seems to be the work of a Russian government-backed entity known as Sandworm. During its investigations into the cyberattacks, the cybersecurity agency discovered the Exaramel backdoor used only by Sandworm APT in previous hacking campaigns.

As described by cybersecurity firm ESET, Exaramel backdoor is used by attackers to establish secure communications with a command and control server through encryption and enables hackers to execute commands remotely.

During its investigations, ANSSI also discovered P.A.S. webshell, a PHP malware previously deployed in the Russian state-sponsored interference of 2016 U.S. elections. But since P.A.S. webshell is available for anyone to download from dark web hacker forums, ANSSI was unable to attribute its deployment to any particular hacker group accurately. Nevertheless, this was clearly an attempt at illegal surveillance of corporations, otherwise known as cyber espionage.

The Centreon IT monitoring software is used by organizations worldwide to monitor applications, networks, and systems. However, the company said that the 4-years-long campaign carried out by Russian hackers only affected 15 users of the I.T. monitoring platform. “According to discussions over the past 24 hours with ANSSI, only about fifteen entities were the target of this campaign, and that they are all users of an obsolete open source version (v2.5.2), which has been unsupported for 5 years,” the company said.

See Also: National Finance Center Targeted by Chinese Actors Using SolarWinds Exploit

Centreon’s customers include Airbus, Air France, Orange, Arcelor Mittal, Euronews, Agence France-Presse (AFP), as well as multiple French government organizations.

“The ANSSI report and our exchanges with them confirm that Centreon did not distribute or contribute to propagate malicious code. This is not a supply chain type attack and no parallel with other attacks of this type can be made in this case,” Centreon said, likely referring to the 2020 SolarWinds hack which resulted in the compromise of systems and networks of hundreds of organizations, including several U.S. Federal departments. 

Centreon Attack TTPs | Source: ANSSI

In its report, ANSSI went out on a limb by accusing the Russian GRU-linked Sandworm APT group in a deviation from its usual non-attribution policy. The Russian GRU was also blamed for an attack on the French TV station TV5Monde in April 2015, forcing it to go off the air. In 2020, six GRU officers were charged by the U.S. Department of Justice with disrupting the 2017 French elections, among other charges.

Let us know if you liked this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!

Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

13 − = 5