Posted on February 17, 2021 at 5:10 PM
After the news about the breach of the Centreon monitoring tool, the developer has come out to shed more light on the incident. The firm indicated that the threat actor succeeded in infiltrating 15 “entities,” and none of the entities were from the rank of its customers. However, the list of entities includes several blue-chip companies, Centreon stated.
“It is confirmed by ANSSI that no Centreon customers were impacted,” the company stated.
Notably, the hacking campaign affected certain Centreon versions that were utilized by open-source developers, but past their end-of-life by at least five years.
Users should update their outdated Centreon software
The firm also said before the attack, it made recommendations to the companies not to expose the web interface of the tools to the internet. However, it was apparent the recommendations were not followed.
The company also stated that the incident isn’t a supply-chain attack as has been reported. It is recommended that those users still running the older and outdated versions should quickly update to the new versions as soon as possible.
The hackers broke into the organizations as they targeted Centreon’s monitoring tool for three years, according to the report by French regulatory body ANSSI.
However, Centreon did not disclose the names of the 15 entities affected by the attack.
ANSSI did not reveal any information about the hacker but said they operated like the Russian cybercrime syndicate popularly known as Sandworm.
Since Centreon specializes in information monitoring, it shows how important the company’s information monitoring tool is to threat actors.
The hackers compromised some of the organizations running the surveillance tool and installed malware to carry out silent surveillance.
Centreon protecting its reputation
The Centreon tool was launched in November 2014 but has been regularly updated to fortify the tool against threat actions such as the recent one.
After the release of the first version, Centreon said it has released additional 8 major versions, but some companies were still using the first version and other outdated ones. According to Centreon, the hackers only succeeded in breaching those firms still running the outdated version.
When asked for comments yesterday, the company declined to comment. But to prevent a dent in its reputation, it had to come out with a statement after ANNSI released a report about the hacking incident.
Whenever there is news about the breach of software, several companies running such software usually abandon them and port them to another safe software. The same thing happened after the breach of the SolarWinds Orion IT monitoring platform, where several companies running the software changed to a new monitoring tool.
Its believed that Centreon’s statement is an attempt to protect its image and reputation in the industry, as it maintains several high-profile customers.
The firm deals with the French Ministry of Justice, Europe’s biggest bank BNP Paribas, telecoms firm Orange, and utility EDF.
The attackers linked to the Sandworm group
The ANNSI report also stated that web hosting companies are the main targets of the attack. The report also revealed that the hackers used the Exaramel multi-platform Trojan, which is also used by the Russian Sandworm threat actors.
Director of Global Research at Kaspersky Costin Raiu stated that the Sandworm group is the only hacking group ever seen using such type of Trojan described in the report.
The hackers used a backdoor that uses a webshell dropped on different servers exposed to the internet. The webshell is the P.A.S version number 3.1.4. Additionally, the French watchdog discovered another backdoor that has similar features to the ones the ESET security firm described.
The Exaramel backdoor was discovered by ESET in 2018. After ESET researchers analyzed the backdoor, they discovered it was an upgraded backdoor to the Industroyer malware which disrupted Ukraine’s power system in 2016.
The security firm has also confirmed that both the Industryer and Extramel backdoors are from the Telebots ATP Group, also known as the Sandworm group. This has also corroborated the French regulator’s statement about the similarities of their operations.
Although the Centreon attack is different compared to the SolarWinds hack, there are indications that it could be as damaging as the latter, considering the type of companies impacted.