France links Russian Sandworm hackers to hosting provider attacks

Posted by & filed under Security Alerts.

The French national cyber-security agency has linked a series of attacks that resulted in the breach of multiple French IT providers over a span of four years to the Russian-backed Sandworm hacking group.

ANSSI (short for Agence Nationale de la Sécurité des Systèmes d’Information) has not been able to determine how the servers were compromised.

Therefore, it is not yet clear if the attackers exploited a vulnerability in the exposed Centreon software or the victims were compromised through a supply chain attack.

“The first victim seems to have been compromised from late 2017. The campaign lasted until 2020,” ANSSI said in a report published today.

“This campaign mostly affected information technology providers, especially web hosting providers.”

Backdoors deployed on hacked servers

ANSSI discovered that the attackers deployed Exaramel and PAS web shell (aka Fobushell) backdoors when analyzing compromised servers on the networks of impacted organizations.

To deploy the malicious tools on the victims’ Internet exposed servers, the threat actors targeted the Centreon  IT monitoring software.

Centreon’s customer list includes several high-profile organizations including Airbus, Air France KLM, Agence France-Presse (AFP), Euronews, Orange, Arcelor Mittal, Sephora, and even the French Ministry of Justice.

The attackers used public and commercial VPN and anonymization services when connecting to the backdoors including the Tor network, EXpressVPN, VPNBook, and PrivateInternetAccess (PIA).

According to the French cyber-security agency, the campaign shows several similarities to behavior observed while analyzing previous Sandworm attacks, including intrusion campaigns before choosing one of the victims for further compromise.

ANSSI also said that the command and control infrastructure used by the threat actors to control malware deployed on victims’ compromised machines were known as being Sandworm-controlled servers.

Compromise vector not yet known

ANSSI has not been able to determine how the servers were compromised, so it is not clear if the attackers exploited a vulnerability in the exposed Centreon software or the victims were compromised through a supply chain attack.

“Compromised servers identified by ANSSI ran the CENTOS operating system. Centreon was recently updated,” ANSSI added.

“The most recent installation version studied by ANSSI was 2.5.2. The initial compromise method is not known.”

Additionally, the French cyber-security agency was not able to find the Exaramel backdoor binary’s origin.

ANSII provides indicators of compromise (IOCs) and Yara rules for administrators who want to analyze their systems for signs of intrusion.

Sandworm (also tracked as BlackEnergy and TeleBots) is an elite Russian backed cyberespionage group active since the mid-2000s, with members believed to be military threat actors part of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).

This group is linked to the BlackEnergy malware behind the Ukrainian blackouts of 2015 and 2016, and the KillDisk wiper attacks targeting Ukrainian banks.

Sandworm hackers have also created the NotPetya ransomware that inflicted billions worth of damage to companies around the world starting with June 2017.

In October 2020, the U.S. Justice Department charged six Sandworm operatives for hacking operations related to the Pyeongchang Winter Olympics, the 2017 French elections, and the NotPetya ransomware attack.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.