[CERT-FR] Sandworm intrusion set campaign targeting Centreon systems
[CERT-FR] Sandworm intrusion set campaign targeting Centreon systems
AI Analysis
Technical Summary
The CERT-FR report details a cyber espionage campaign attributed to the Sandworm intrusion set, a well-known advanced persistent threat (APT) group linked to Russian state-sponsored activities. This campaign specifically targets Centreon systems, which are widely used IT infrastructure monitoring solutions deployed primarily on Linux servers. The attack leverages exploitation of public-facing applications (MITRE ATT&CK T1190) to gain initial access, followed by deployment of web shells (T1505.003) to maintain persistence and facilitate remote command execution. The adversaries perform file and directory discovery (T1083) to map the environment and identify valuable data. They also employ deobfuscation and decoding techniques (T1140) to analyze and manipulate files or information, likely to evade detection and understand system configurations. Communication with command and control (C2) servers is conducted over encrypted channels (T1573), using symmetric and asymmetric cryptography (T1573.001 and T1573.002), ensuring stealthy exfiltration of data (T1041). The attackers create or modify system processes (T1543) and Windows services (T1543.003) to establish persistence and facilitate lateral movement. The campaign is confirmed to target Linux systems in Western Europe, with high confidence in the indicators of compromise (IOCs) provided. Although no specific affected versions or patches are noted, the campaign's medium severity rating reflects the moderate threat level posed by this targeted espionage activity. The involvement of multiple threat actors such as Iridium, Telebots, Electrum, and Sandworm indicates a coordinated and persistent effort to compromise Centreon deployments for intelligence gathering or sabotage purposes.
Potential Impact
For European organizations, particularly those relying on Centreon for critical infrastructure monitoring, this campaign poses significant risks. Successful exploitation can lead to unauthorized access to sensitive operational data, disruption of monitoring capabilities, and potential manipulation or destruction of system logs and alerts. This undermines the ability to detect and respond to incidents promptly, increasing the risk of prolonged undetected intrusions. The exfiltration of data over encrypted channels compromises confidentiality, potentially exposing sensitive network and system information to adversaries. The modification of system processes and services can degrade system integrity and availability, impacting business continuity. Given Centreon's widespread use in sectors such as energy, telecommunications, and government within Western Europe, the campaign could affect critical national infrastructure and essential services. The stealthy nature of the attack, combined with the use of sophisticated cryptographic methods and web shells, complicates detection and remediation efforts, increasing the potential for long-term compromise and espionage.
Mitigation Recommendations
European organizations should implement targeted mitigation strategies beyond generic best practices. First, conduct a comprehensive audit of all Centreon deployments, focusing on public-facing instances, to identify and remediate any vulnerabilities or misconfigurations. Employ strict network segmentation to isolate Centreon servers from other critical infrastructure components, limiting lateral movement opportunities. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying web shell activity and anomalous process creation/modification, particularly monitoring for unusual Windows service changes on hybrid environments. Utilize network traffic analysis tools to detect encrypted C2 communications, leveraging behavioral analytics to identify deviations from normal Centreon traffic patterns. Regularly update and harden Centreon installations, applying vendor patches promptly once available, and consider implementing application-layer firewalls or web application firewalls (WAFs) to block exploitation attempts against public-facing interfaces. Enhance logging and monitoring with a focus on file and directory access patterns, and integrate threat intelligence feeds to stay informed on emerging IOCs related to Sandworm and associated groups. Finally, conduct targeted user training for system administrators to recognize signs of compromise and enforce strict access controls and multi-factor authentication (MFA) for all administrative interfaces.
Affected Countries
France, Germany, United Kingdom, Netherlands, Belgium, Italy, Spain
Indicators of Compromise
- comment: Backdoors related to Sandworm
- text: TeleBots
- link: https://wws.cert-ist.com/private/fr/IocAttack_details?format=html&objectType=ATK&ref=CERT-IST/ATK-2016-066
- comment: These IOCs come from an ANSSI report (CERTFR-2021-CTI-004) published on February 15, 2021, which document a campaign of system compromises that impacted several French entities. This campaign targeted the Centreon IT monitoring software. The first compromises identified by the ANSSI date back from the end of 2017 and the attacks have continued until 2020. They mainly affected IT service providers, particularly web hosting providers. On the compromised systems, the webshell P.A.S. (alias Fobushell) is deployed in the Centreon web folder. Its content remains encrypted until the attacker connects to it and enters the right password. In several cases, this webshell has been used to deploy the Exaramel backdoor. This malware written in Go language is also deployed in the Centreon directory and its persistence is ensured via a scheduled task (Cron). The initial vector of this attack campaign is not precisely known. It can simply be assumed that it involves the exploitation of a vulnerability or a weakness in the Centreon monitoring software. The analyses allowed to identify two categories of infrastructure used in these attacks: Anonymization infrastructure: attackers use Tor or VPN services to connect to the webshells, Command and control infrastructure: Attackers use dedicated servers to manage the implants. Note: Exaramel communicates with its command and control servers via HTTPS. WARNING: the ANSSI does not attribute these attacks to the Sandworm group (alias Telebots) and therefore even less to a Russian intelligence unit. The similarities observed relate to the modus operandi implemented: in particular the Exaramel backdoor and infrastructure elements. In reality, these elements of similarity even seem rather weak, at least on the sole reading of the ANSSI report.
- file: /tmp/.applocktx
- file: /tmp/.applock
- file: configtx.json
- target-location: France
- comment: Exaramel
- comment: Fobushell
- comment: PAS
- comment: P.A.S.
- comment: Sandworm Team
- comment: ELECTRUM
- comment: BlackEnergy
- datetime: 2021-01-26T23:00:00+00:00
- datetime: 2017-10-31T23:00:00+00:00
- file: centreon_module_linux_app64
- hash: e1ff729f45b587a5ebbc8a8a97a7923fc4ada14de4973704c9b4b89c50fd1146
- hash: a739f44390037b3d0a3942cd43d161a7c45fd7e7
- hash: 92ef0aaf5f622b1253e5763f11a08857
- file: search.php
- hash: 893750547255b848a273bd1668e128a5e169011e79a7f5c7bb86cc5d7b2153bc
- hash: c69db1b120d21bd603f13006d87e817fed016667
- hash: 84837778682450cdca43d1397afd2310
- file: DB-Drop.php
- hash: 928d8dde63b0255feffc3d03db30aa76f7ed8913238321cc101083c2c5056ffa
- hash: b7afb8c91f8f9df4f18764c25251576a0f8bef6f
- hash: a89251cd4c15909a8e15256ead40584e
- file: /bin/backup
- hash: ebe98d5e1ab6966ec1e292fafbd5ef21c2b15bd7c7bb871d8e756971b8b6877a
- hash: 5a58e46e5b8f468445f848f8eca741eddebcef3e
- hash: 9885fcdda12167b2f598b2d22de07d5b
[CERT-FR] Sandworm intrusion set campaign targeting Centreon systems
Description
[CERT-FR] Sandworm intrusion set campaign targeting Centreon systems
AI-Powered Analysis
Technical Analysis
The CERT-FR report details a cyber espionage campaign attributed to the Sandworm intrusion set, a well-known advanced persistent threat (APT) group linked to Russian state-sponsored activities. This campaign specifically targets Centreon systems, which are widely used IT infrastructure monitoring solutions deployed primarily on Linux servers. The attack leverages exploitation of public-facing applications (MITRE ATT&CK T1190) to gain initial access, followed by deployment of web shells (T1505.003) to maintain persistence and facilitate remote command execution. The adversaries perform file and directory discovery (T1083) to map the environment and identify valuable data. They also employ deobfuscation and decoding techniques (T1140) to analyze and manipulate files or information, likely to evade detection and understand system configurations. Communication with command and control (C2) servers is conducted over encrypted channels (T1573), using symmetric and asymmetric cryptography (T1573.001 and T1573.002), ensuring stealthy exfiltration of data (T1041). The attackers create or modify system processes (T1543) and Windows services (T1543.003) to establish persistence and facilitate lateral movement. The campaign is confirmed to target Linux systems in Western Europe, with high confidence in the indicators of compromise (IOCs) provided. Although no specific affected versions or patches are noted, the campaign's medium severity rating reflects the moderate threat level posed by this targeted espionage activity. The involvement of multiple threat actors such as Iridium, Telebots, Electrum, and Sandworm indicates a coordinated and persistent effort to compromise Centreon deployments for intelligence gathering or sabotage purposes.
Potential Impact
For European organizations, particularly those relying on Centreon for critical infrastructure monitoring, this campaign poses significant risks. Successful exploitation can lead to unauthorized access to sensitive operational data, disruption of monitoring capabilities, and potential manipulation or destruction of system logs and alerts. This undermines the ability to detect and respond to incidents promptly, increasing the risk of prolonged undetected intrusions. The exfiltration of data over encrypted channels compromises confidentiality, potentially exposing sensitive network and system information to adversaries. The modification of system processes and services can degrade system integrity and availability, impacting business continuity. Given Centreon's widespread use in sectors such as energy, telecommunications, and government within Western Europe, the campaign could affect critical national infrastructure and essential services. The stealthy nature of the attack, combined with the use of sophisticated cryptographic methods and web shells, complicates detection and remediation efforts, increasing the potential for long-term compromise and espionage.
Mitigation Recommendations
European organizations should implement targeted mitigation strategies beyond generic best practices. First, conduct a comprehensive audit of all Centreon deployments, focusing on public-facing instances, to identify and remediate any vulnerabilities or misconfigurations. Employ strict network segmentation to isolate Centreon servers from other critical infrastructure components, limiting lateral movement opportunities. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying web shell activity and anomalous process creation/modification, particularly monitoring for unusual Windows service changes on hybrid environments. Utilize network traffic analysis tools to detect encrypted C2 communications, leveraging behavioral analytics to identify deviations from normal Centreon traffic patterns. Regularly update and harden Centreon installations, applying vendor patches promptly once available, and consider implementing application-layer firewalls or web application firewalls (WAFs) to block exploitation attempts against public-facing interfaces. Enhance logging and monitoring with a focus on file and directory access patterns, and integrate threat intelligence feeds to stay informed on emerging IOCs related to Sandworm and associated groups. Finally, conduct targeted user training for system administrators to recognize signs of compromise and enforce strict access controls and multi-factor authentication (MFA) for all administrative interfaces.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Uuid
- 60118dab-1ab8-40b2-b02b-b6f80aba047c
- Original Timestamp
- 1729163268
Indicators of Compromise
Comment
| Value | Description | Copy |
|---|---|---|
commentBackdoors related to Sandworm | — | |
commentThese IOCs come from an ANSSI report (CERTFR-2021-CTI-004) published on February 15, 2021, which document a campaign of system compromises that impacted several French entities. This campaign targeted the Centreon IT monitoring software.
The first compromises identified by the ANSSI date back from the end of 2017 and the attacks have continued until 2020. They mainly affected IT service providers, particularly web hosting providers.
On the compromised systems, the webshell P.A.S. (alias Fobushell) is deployed in the Centreon web folder. Its content remains encrypted until the attacker connects to it and enters the right password.
In several cases, this webshell has been used to deploy the Exaramel backdoor. This malware written in Go language is also deployed in the Centreon directory and its persistence is ensured via a scheduled task (Cron).
The initial vector of this attack campaign is not precisely known. It can simply be assumed that it involves the exploitation of a vulnerability or a weakness in the Centreon monitoring software.
The analyses allowed to identify two categories of infrastructure used in these attacks:
Anonymization infrastructure: attackers use Tor or VPN services to connect to the webshells,
Command and control infrastructure: Attackers use dedicated servers to manage the implants.
Note: Exaramel communicates with its command and control servers via HTTPS.
WARNING: the ANSSI does not attribute these attacks to the Sandworm group (alias Telebots) and therefore even less to a Russian intelligence unit. The similarities observed relate to the modus operandi implemented: in particular the Exaramel backdoor and infrastructure elements. In reality, these elements of similarity even seem rather weak, at least on the sole reading of the ANSSI report. | Cert-IST Description | |
commentExaramel | Cert-IST Malware Name | |
commentFobushell | Cert-IST Malware Name | |
commentPAS | Cert-IST Malware Name | |
commentP.A.S. | Cert-IST Malware Name | |
commentSandworm Team | Cert-IST Attack Alias | |
commentELECTRUM | Cert-IST Attack Alias | |
commentBlackEnergy | Cert-IST Attack Alias |
Text
| Value | Description | Copy |
|---|---|---|
textTeleBots | Cert-IST Attack name |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://wws.cert-ist.com/private/fr/IocAttack_details?format=html&objectType=ATK&ref=CERT-IST/ATK-2016-066 | Cert-IST External link |
File
| Value | Description | Copy |
|---|---|---|
file/tmp/.applocktx | Socket created by Exaramel | |
file/tmp/.applock | Socket created by Exaramel | |
fileconfigtx.json | Exaramel configuration file | |
filecentreon_module_linux_app64 | — | |
filesearch.php | — | |
fileDB-Drop.php | — | |
file/bin/backup | — |
Target location
| Value | Description | Copy |
|---|---|---|
target-locationFrance | Cert-IST Targeted Country |
Datetime
| Value | Description | Copy |
|---|---|---|
datetime2021-01-26T23:00:00+00:00 | Cert-IST First Disclosed Date | |
datetime2017-10-31T23:00:00+00:00 | Cert-IST First Seen Date |
Hash
| Value | Description | Copy |
|---|---|---|
hashe1ff729f45b587a5ebbc8a8a97a7923fc4ada14de4973704c9b4b89c50fd1146 | — | |
hasha739f44390037b3d0a3942cd43d161a7c45fd7e7 | — | |
hash92ef0aaf5f622b1253e5763f11a08857 | — | |
hash893750547255b848a273bd1668e128a5e169011e79a7f5c7bb86cc5d7b2153bc | — | |
hashc69db1b120d21bd603f13006d87e817fed016667 | — | |
hash84837778682450cdca43d1397afd2310 | — | |
hash928d8dde63b0255feffc3d03db30aa76f7ed8913238321cc101083c2c5056ffa | — | |
hashb7afb8c91f8f9df4f18764c25251576a0f8bef6f | — | |
hasha89251cd4c15909a8e15256ead40584e | — | |
hashebe98d5e1ab6966ec1e292fafbd5ef21c2b15bd7c7bb871d8e756971b8b6877a | — | |
hash5a58e46e5b8f468445f848f8eca741eddebcef3e | — | |
hash9885fcdda12167b2f598b2d22de07d5b | — |
Threat ID: 68367c12182aa0cae2312aeb
Added to database: 5/28/2025, 2:59:30 AM
Last enriched: 6/27/2025, 11:22:52 AM
Last updated: 8/9/2025, 7:32:26 PM
Views: 21
Actions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.