Share this page!

Costin Raiu Profile picture
Twitter logo
16 Feb, 9 tweets, 2 min read
1/9 The French National Cybersecurity Agency @ANSSI_FR released a report on Hades / Sandworm infecting Centreon servers with a PHP backdoor, followed by deploying the Exaramel Linux backdoor. Some notes:
2/9 Centreon is an IT monitoring software, created by a French company with the same name. Some customers include Accor Hotels, AirFrance / KLM, Airbus, Euronews, Orange and various French gov agencies. No indication any of these were breached.
3/9 The first compromise took place in 2017 and and the campaign lasted until 2020. Campaign mostly affected information technology providers, especially web hosting providers. Important: the initial compromise method is not known.
4/9 The attackers rely heavily on the P.A.S. webshell. This would commonly be deployed in the Centreon web server folder, eg "/usr/local/centreon/www/search.php" and created by the apache user. In addition to the webshell, attackers also deployed the Exaramel backdoor.
5/9 Exaramel is a multiplatform backdoor; Windows and Linux versions are known to exist. The Linux version is written in Golang. It was first reported by ESET in 2018. On infected systems, @ANSSI_FR found it was created by the apache user, same as the P.A.S. webshell.
6/9 Hades / Sandworm is the only known group that uses Exaramel. Exaramel has code similarities with the Industroyer main backdoor. The report does not include other public links to Hades / Sandworm.
7/9 To manage the backdoors, the attackers used TOR and several VPN services: PRIVATEINTERNETACCESS, EXPRESSVPN and VPNBOOK. They also used some undisclosed IPs that do not appear to be associated with known VPNs or TOR.
8/9 Although the @ANSSI_FR report makes it clear the infection vector is unknown, the details suggest the attackers were more likely exploiting a vulnerability in the Centreon software rather than a supply chain attack. This vulnerability may have been closed in 2020.
9/9 As usual, simple things, such as monitoring for new PHP files and executable, running Yara rules for known malware or antivirus software should catch these attacks.
Report and IOCs: cert.ssi.gouv.fr/cti/CERTFR-202…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Costin Raiu

Costin Raiu Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @craiu

Costin Raiu Profile picture
21 Dec 20
Cracking the Sunburst / Solorigate "do not infect" domain hashes, a thread 👉
In their comprehensive analysis of Sunburst / Solorigate, Microsoft highlights an interesting fact: that certain domains are excepted from further infection. microsoft.com/security/blog/…
To quote, "The domain must not contain certain strings; the check for these strings is implemented via hashes, so at this time the domain names that are block-listed are unknown[...] If any of these checks fail, the backdoor terminates"
Read 8 tweets
Costin Raiu Profile picture
10 Jan 19
Today, Singapore gov published a large, thorough, 450+ pages analysis report on the Health Services Private Ltd hack. Here's a summary analysis highlighting the most interesting findings. Full report is available at: mci.gov.sg/coireport
The attackers breached Singapore Health Services through a vulnerability in Outlook. Although a patch was available, the systems were not updated. As a side note, it is quite rare that we see attackers exploiting vulnerabilities in Outlook.
Once on the host, the attackers collected passwords and began moving laterally. Some of the passwords were weak and their hashes easily crackable by tools such as @hashcat. Sadly, ‘P@ssw0rd’ is way too common in IT environments.
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @craiu has new unrolls!

Check out other threads from @craiu!

Read all threads by @craiu