In an incident report, the National Information Systems Security Agency (Anssi) reports the existence of a campaign of compromise affecting “IT service providers, in particular web hosting”. It targeted Centreon supervision software, published by the French company of the same name, from the end of 2017 until 2020.
Centreon offers administrators real-time monitoring of the information system (diagnostics, planning of downtime, etc.) and user access control (definition of access group, monitoring of actions, etc.).
Bolloré, Total, Air France …
Among its users, the software includes many French companies such as EDF, Orange, Geodis, Amundi, Air France-KLM, Airbus, Total, Accor, the Bolloré group … but also public bodies such as the Ministry of Justice, the RATP, Bordeaux Métropole. Centreon is also used by the North West Hospital of Villefranche-sur-Saône, in the Rhône, which is currently affected by ransomware.
In practice, the hackers have installed a “webshell” type backdoor, which allows remote access and control to a Web server by allowing the execution of arbitrary commands, on several Centreon servers exposed on the Internet. A second backdoor, Exaramel, was also detected by the Anssi.
On the other hand, Anssi is not able to say whether these compromises are the result of the exploitation of a vulnerability in the Centreon software or of the discovery of the passwords of the administrator accounts by the attackers.
The modus operandi of a Russian actor
According to Anssi, this incident has “many similarities” with previous campaigns on the same model as the “Sandworm” operating mode. The latter is known to lead “broad” compromise campaigns and then target the most strategic victims.
This method is traditionally attributed to the Russian secret services. For example, it has already been used to break into three Ukrainian energy distribution companies in December 2015. This attack deprived almost half of the 1.4 million inhabitants of the Ivano-Frankivsk region during many hours.
Centreon has not reacted yet
But, in its report, Anssi does not say anything about the origin of this cyberattack or the extent of its consequences on client companies. Its press release aims above all to warn companies and organizers who use Centreon software. For its part, the French company, whose head office is located in Paris, has not yet reacted to this announcement.