The French National Agency for the Security of Information Systems (ANSSI) revealed a three-year-long operation launched by Sandworm APT against major IT and web hosting providers in France. The ANSSI advisory details that the campaign started back in 2017 and resulted in a series of subsequent breaches, including the compromise of Centreon, a monitoring software company that has its products broadly adopted by French governmental institutions.
Centreon Attack Summary
According to ANSSI, Sandworm hackers penetrated Centreon servers exposed to the Internet. Despite the initial intrusion method remaining unknown, researchers note that adversaries might have exploited a vulnerability in the Centreon products or stolen credentials for administrative accounts.
Centreon breach served as an entry point for threat actors allowing them to hack into other French entities and plant backdoor malware on their networks. Security experts report that all companies compromised during the Sandworm campaign ran the CentOS operating system on their servers.
Despite Centreon software is similar to SolarWinds Orion products, and the Sandworm intrusion has a lot in common with the infamous SolarWinds supply-chain attack, Centreon officials claim that none of its users were impacted during the Sandworm campaign. All the affected organizations used a legacy open source version (v2.5.2) of software released in 2016, which is no longer supported by the vendor. Furthermore, Centreon’s statement clarifies that the security incident was not a supply-chain attack because Sandworm hackers have never used the company’s IT infrastructure to push malicious updates to its customers.
P.A.S Webshell and Exaramel Backdoor
The compromised Centreon servers analyzed by ANSSI revealed the presence of two malware samples identified to be P.A.S web shell and Exaramel backdoor. Both malicious stains have been used by threat actors for covert reconnaissance.
According to the researchers, Sandworm hackers utilized P.A.S (Fobushell) web shell version 3.1.4 to attack their victims. This malicious strain was developed by a Ukrainian student and broadly adopted by different threat actors in their operations. For example, P.A.S web shell has been leveraged in multiple attacks against WordPress sites and used in the malicious activity of Russia-linked hackers aimed to interfere with the 2016 U.S elections. The malware’s impressive functionality allows hackers to list, modify, create, or upload files; interact with SQL databases; search for the specific elements within the compromised host; create bind shell with a listening port; create a reverse shell with a distant address as a parameter; look for open ports and listening services on the machine; perform brute-force attacks; gather data about the compromised system, and more.
Another malicious sample used by Sandworm hackers is Exaramel backdoor. It was initially reported by ESET in 2018, with two existing variants identified. One variant is designed to target Windows users, and the other is used exclusively for Linux systems. In the current malicious operation, Sandworm threat actors relied on the Linux version of the backdoor to perform covert surveillance against their victims. Exaramel is a remote administration tool written in Go. The malware can communicate with the attackers’ command-and-control (C&C) server via HTTPS and perform various tasks set by its operators. Specifically, Exaramel is capable of self-deleting, self-updating, uploading and modifying files, running shell commands, and compiling reports.
Traces to Sandworm Hackers
Russian state-sponsored Sandworm APT group (aka BlackEnergy, Quedagh, Voodoo Bear, Iron Viking, Telebots), which is believed to be a military unit of the GRU, has been active at least since 2009. Sandworm threat actors were involved in lots of major hacking operations conducted on behalf of the Moscow government. For instance, in 2015-2016, Sandworm launched a series of destructive cyber-attacks against the Ukrainian power grid. In 2017 the group stood behind the epoch-making NotPetya campaign. Simultaneously, in 2017 Sandworm initiated a series of spear-phishing attacks against local government entities, political parties, and campaigns in France, including those connected with French President Emmanuel Macron. Also, in 2018 this actor was spotted launching a set of cyber-attacks aimed to interrupt the Winter Olympics.
As reported by Costin Raiu, Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab, Sandworm is the only group identified to deploy Exaramel backdoor in its malicious operations, which gives a direct indication that Russian APT stands behind Centreon hack.
To identify and proactively react to the malicious activity associated with the Exaramel backdoor, you can download a dedicated Sigma rule from the SOC Prime Team:
The rule has translations to the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye Helix
EDR: Carbon Black
Tactics: Initial Access
Techniques: Exploit Public-Facing Applications (T1190)
Actor: Sandworm Team
Subscribe to Threat Detection Marketplace and reach 90,000+ curated SOC content library that includes rules, parsers and search queries, Sigma and YARA-L rules easily convertible to various formats. Want to develop your own Sigma rules? Join our Threat Bounty Program and get rewarded for your input!