The National Information Systems Security Agency (ANSSI), France, has published a report about the recent intrusions by a Russian-backed Sandworm (also known as BlackEnergy or TeleBots) APT group.
Sandworm’s central focus
According to the report, the Sandworm group has been targeting an IT monitoring software Centreon, which resulted in the breach of several French entities since at least 2017.
- The series of attacks abusing Centreon software have mostly affected multiple French IT providers, especially web hosting providers over a span of four years.
- The recent campaign has several similarities with previously observed Sandworm attacks. Although, the server compromise vector is not yet known.
- The group has been deploying Exaramel and PAS web shell (aka Fobushell) backdoors on the compromised servers of the impacted organization networks.
- While connecting to the backdoors, attackers used public and commercial VPN and anonymization services such as Tor network, EXpressVPN, VPNBook, and PrivateInternetAccess (PIA).
In mid-2020, the Sandworm group was very active and it mainly leveraged vulnerabilities in the Exim Mail Transfer Agent (MTA) in their campaigns.
- In June 2020, the Sandworm Team had exploited three flaws (CVE-2019-10149, CVE-2019-15846, and CVE-2019-16928) in the Exim MTA.
- In May 2020, the Sandworm group was found targeting a bug in Exim MTA using the hacked servers as an initial infection point on target systems and likely pivoting to other parts of the victim's network.
Sandworm, which is the creator of NotPetya malware, is considered one of the most aggressive and destructive hacking groups. Therefore, any new activity from the Sandworm group, whether small or big, is worth a deep look. For preventive measures, users should patch applications, limit monitoring systems external exposure, and harden servers.