Company says victims were using outdated versions of its monitoring software

IT services firm Centreon downplays reports of backdoor software vulnerabilities linked to Russian hacking group Sandstorm

French IT monitoring company Centreon has downplayed reports of backdoor vulnerabilities in its open source software that were allegedly linked to Sandworm, a Russian hacking group.

France’s National Agency for the Security of Information Systems (ANSSI) released a report (PDF) this week (February 15) detailing how several French corporate entities have been impacted by vulnerabilities in Centreon’s eponymous open source IT monitoring product.

ANSSI reported that the software contained two backdoors that have impacted several customers for as long as three years.

However, the vendor has massively downplayed the issue, which it says is only present on outdated versions of its open source infrastructure monitoring product.


In response to ANSSI’s, Centreon said the report “could mislead individuals to believe that the solutions provided by Centreon would present security flaws”.

Centreon said that the flaws were present in obsolete software versions, and in a statement appeared to distance itself by stressing that only users who did not upgrade their builds weren’t protected.

It also said that none of its customers had been impacted by the malicious hacking campaign, and that it did not propagate any malicious code.

YOU MAY LIKE Centris: New tool helps prevent software supply chain attacks by flagging modified open source components

The statement reads: “The ANSSI report and our exchanges with them confirm that Centreon did not distribute or contribute to propagate malicious code.

“This is not a supply chain type attack and no parallel with other attacks of this type can be made in this case.”

Sandworm links

The cyber agency, however, believes the campaign could be linked to Sandworm, a group of Russian hackers blamed for blackouts across Ukraine and the 2018 Winter Olympics opening ceremony cyber-attack.

A report reads: “On compromised systems, ANSSI discovered the presence of a backdoor in the form of a webshell dropped on several Centreon servers exposed to the internet. This backdoor was identified as being the P.A.S. webshell, version number 3.1.4.

“On the same servers, ANSSI found another backdoor identical to one described by ESET and named Exaramel.

“This campaign bears several similarities with previous campaigns attributed to the intrusion set named Sandworm.”

Combined, the two vulnerabilities could allow for complete takeover of the software, which could enable hackers to move laterally across a victim’s network.

Further technical details can be found in the ANSSI report (PDF).

Read more of the latest cyber-attack news

ANSSI also released a number of recommendations to protect against the campaign, including keeping all software up to date and limiting the external exposure of IT monitoring systems.

“Monitoring systems such as Centreon need to be highly intertwined with the monitored information system and therefore are a prime target for intrusion sets seeking lateralisation,” the report reads.

“It is recommended either not to expose these tools’ web interfaces to [the] internet or to restrict such access using non-applicative authentication (TLS client certificate, basic authentication on the web server).”

YOU MAY ALSO LIKE SQLite patches use-after-free bug that left apps open to code execution, denial-of-service exploits