Tuesday, 16 February 2021 07:03

Intrusion campaign using French software claimed to have Russian links Featured

0
Shares
By
Image by Amber Clay from Pixabay

An intrusion campaign which targets monitoring software from the French company CENTREON has been reported to have breached several French institutions between late 2017 and 2020. The systems that were hit were running CentOS, a free version of Red Hat's Enterprise Linux distribution.

The claim was made by France's National Agency for the Security of Information Systems (Agence Nationale de la Sécurité des Systèmes d’Information or ANSSI), which linked the attacks to a group known as Sandworm, because of a similar intrusion set.

The agency defined an intrusion set as "the sum of tools, tactics, techniques, procedures and characteristics used by one or more actors within one or more campaigns".

"Generally speaking, the intrusion set Sandworm is known to lead consequent intrusion campaigns before focusing on specific targets that fits its strategic interests within the victims pool. The campaign observed by ANSSI fits this behaviour," the French agency wrote.

It did not provide any victims' names, but merely said the campaign had mostly affected IT providers, especially Web hosting providers.

The allegations about Sandworm were made by the US Department of Justice in October 2020, with claims that the group comprised six individuals, "all of whom were residents and nationals of the Russian Federation and officers in Unit 74455 of the Russian Main Intelligence Directorate, a military intelligence agency of the General Staff of the Armed Forces".

These six men were said to have "engaged in computer intrusions and attacks intended to support Russian Government efforts to undermine, retaliate against, or otherwise destabilise: (1) Ukraine; (2) Georgia; (3) elections in France; (4) efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil; and (5) the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from participating under their nation’s flag, as a consequence of Russian Government-sponsored doping effort".

ANSSI said the attackers used a webshell known as P.A.S. and a backdoor known as Exaramel to attack the systems, which were compromised between late 2017 and 2020, the agency said in a detailed blog post. CENTREON's software, known as Centreon, is used to monitor applications, networks and systems and there are versions for both Windows and Linux.

"On compromised systems, ANSSI discovered the presence of a backdoor in the form of a webshell dropped on several Centreon servers exposed to the Internet," the agency wrote.

"This backdoor was identified as being the P.A.S. webshell, version number 3.1.4. On the same servers, ANSSI found another backdoor identical to one described by [Slovakian security firm] ESET and named Exaramel."

ANSSI said it was not aware of the initial vector for the compromise. The blog post provided detailed breakdowns of how both P.A.S and Exaramel work.

The agency also released a separate document linking to a list of indicators of compromise, a list of Snort rules and a list of YARA rules to help those looking for infections.

"Monitoring systems such as Centreon need to be highly intertwined with the monitored information system and therefore are a prime target for intrusion sets seeking lateralisation," the post said. "It is recommended either not to expose these tools’ Web interfaces to the Internet or to restrict such access using non-applicative authentication (TLS client certificate, basic authentication on the Web server)."


Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Published in Security
Tagged under
Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Latest from Sam Varghese

Related items

More in this category: « Watch out for fake CommBank phishing SMS
Share News tips for the iTWire Journalists? Your tip will be anonymous
back to top