Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security IT Technology

France Says Russian State Hackers Targeted IT Monitoring Firm Centreon's Servers in Years-Long Campaign (zdnet.com) 24

France's cyber-security agency said that a group of Russian military hackers, known as the Sandworm group, have been behind a three-years-long operation during which they breached the internal networks of several French entities running the Centreon IT monitoring software. From a report: The attacks were detailed in a technical report released today by Agence Nationale de la Securite des Systemes d'Information, also known as ANSSI, the country's main cyber-security agency. "This campaign mostly affected information technology providers, especially web hosting providers," ANSSI officials said today. "The first victim seems to have been compromised from late 2017. The campaign lasted until 2020." The point of entry into victim networks was linked to Centreon, an IT resource monitoring platform developed by French company CENTREON, and a product similar in functionality to SolarWinds' Orion platform. ANSSI said the attackers targeted Centreon systems that were left connected to the internet. The French agency couldn't say at the time of writing if the attacks exploited a vulnerability in the Centreon software or if the attackers guessed passwords for admin accounts. However, in the case of a successful intrusion, the attackers installed a version of the P.A.S. web shell and the Exaramel backdoor trojan, two malware strains that when used together allowed hackers full control over the compromised system and its adjacent network.
This discussion has been archived. No new comments can be posted.

France Says Russian State Hackers Targeted IT Monitoring Firm Centreon's Servers in Years-Long Campaign

Comments Filter:
  • Is there anywhere they can't get to?
  • Yep (Score:5, Insightful)

    by dohzer ( 867770 ) on Tuesday February 16, 2021 @03:04AM (#61067872)

    I came in here expecting to find posts written by Russians saying "nothing to see here", and I wasn't disappointed.

    • by khchung ( 462899 )

      I came in here expecting to find posts written by Russians saying "nothing to see here", and I wasn't disappointed.

      Well, that's their job, isn't it?

      At least, that's what I saw when there was news about the CIA hacking foreign companies or NSA spying on everyone.

  • It's on! (Score:5, Interesting)

    by Slayer ( 6656 ) on Tuesday February 16, 2021 @03:08AM (#61067878)

    I was about to dismiss this story as "ok, yet another compromise of corporate Windows networks", but this does not seem to be the case here. The targeted system here is Centreon [centreon.com], a CentOS (i.e. linux) based network monitoring tool. In my opinion this attack is nothing like the SolarWinds attack:

    • 1. SolarWinds was completely owned by the hackers, and even companies with properly setup systems were affected. No such claim was made regarding Centreon. In this attack the affected system had to be exposed to the internet, which is questionable practice at best.
    • 2. The Centreon hack lasted for three whole years, which is quite a long time for such an unsophisticated but widespread attack. Linuxers may have to become more vigilant soon ...
    • 3. At least the product overview suggests, that Centreon is just monitoring software, not network management software. For all practical purposes this gives the hackers read, but not write access to the network. Obviously they could stack further exploits to obtain full control, but that's an extra step with its own risks.
    • 4. The back doors installed by the Centreon hackers were quite easy to spot, no real effort was made to hide them or anything. This tells me, that the primary target of this attack were imbeciles running the software, not professionals.

    BTW for all those, who were turned away by the french summary [ssi.gouv.fr] of the report: The full report [ssi.gouv.fr] is in English language.

    • For those wondering, the entry point was the Centreon proprietary Web application. While it is running on CentOS, it wasn't an operating system vulnerability that was exploited. It was yet another poorly written Web application.

      • by Slayer ( 6656 )

        They aren't even sure yet, whether the web application was buggy, or whether the admins just picked an easily guessable password. Whatever happened: such a web app shouldn't have been accessible from the outside anyway, therefore I would point my finger primarily at incompetent admins.

    • This tells me, that the primary target of this attack were imbeciles running the software, not professionals.

      You say that like there is any meaningful difference between "imbeciles" and "professionals". 10 years or so ago, I had found several thousands public-facing unprotected JMX consoles through a simple google search. Those included servers at the JPL. For fun, I tried again 5 year ago and there were still plenty. I wonder how many are left in 2020. I do know there are companies out there still running older jboss configurations (they either never upgraded from 4.x days or carried over the configurations from

  • If your an IT Monitoring Firm and someone gets into your network mucks around installing back doors and such and you do not know for what a few years.
    Your running a lousy IT company! And your Leadership and Management sucks!
  • Enough with the zdnet neocon cyber BS

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...