The French security agency ANSSI recently warned of a series of attacks targeting Centreon monitoring software used by multiple French organizations and attributes them to the Russia-linked Sandworm APT group.
The first attack spotted by ANSSI experts dates back to the end of 2017 and the campaign continued until 2020. Threat actors mainly targeted IT service providers, particularly web hosting.
“ANSSI was informed of a campaign of compromise affecting several French entities. This campaign targeted Centreon monitoring software , published by the company of the same name.” reads the alert issued by the ANSSI.
“The first compromises identified by ANSSI date from the end of 2017 and continued until 2020. This campaign mainly affected IT service providers, particularly web hosting.”
Expert at the ANSSI observed that the threat actors deployed a webshell on the compromised Centreon servers that were exposed on the internet, along with a backdoor dubbed Exaramel first spotted by ESET researchers in 2018.
Now the French software vendor announced that its paid customers were not impacted by the cyber attack.
According to Centreon, the attack only impacted organizations that downloaded the open-source version of the Centreon app.
The company pointed out that threat actors targeted obsolete versions of Centreon’s open-source software, the most recent version concerned by this campaign is version 2.5.2, which is no longer supported for more than 5 years. Centreon also added that the software has apparently also been deployed without respect for the security of servers and networks, including connections outside the entities concerned.
“Since this version, Centreon has released 8 major versions. Centreon recalls the importance of complying with ANSSI IT Health guidelines and recommendations for installing and securing software.” reads a press release published by the software vendor. “It is confirmed by ANSSI that no Centreon customers were impacted. According to discussions over the past 24 hours with ANSSI, only about fifteen entities were the target of this campaign, and that they are all users of an obsolete open source version (v2.5.2), which has been unsupported for 5 years.”
Centreon determined that only about fifteen entities using the obsolete open source version (v2.5.2) were hit by these attacks.
The company highlighted that the recent campaign is not a supply chain attack and could not be compared with such kind of incidents, including the SolarWinds hack.
ANSSI experts believed that the campaign is no more active.
“Centreon recommends that all users who still have an obsolete version of its open source software in production update it to the latest version or contact Centreon and its network of certified partners.” recommeds the company.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, ANSSI)