Centreon: Sandworm Attacks Targeted Legacy Open Source Product

French software provider Centreon has hit back at a report from the country’s cybersecurity agency that its products were hijacked in a Russian cyber-campaign, claiming that no paying customers were affected.

The firm, which produces IT monitoring software not unlike SolarWinds, was at the center of a report from the French National Agency for the Security of Information Systems (ANSSI) this week.

It claimed that the infamous Sandworm group, responsible for destructive attacks against Ukrainian energy providers in prior years, had targeted IT and web hosting firms from 2017 to 2020.

The group is said to have dropped a version of the P.A.S. web shell and the Exaramel backdoor Trojan to obtain remote control of “several Centreon servers exposed to the internet.”

However, in an update yesterday, the IT vendor clarified that the campaign only targeted legacy open source versions of its software, at around 15 organizations.

“The campaign described by ANSSI exclusively concerns obsolete versions of Centreon’s open source software. Indeed, the ANSSI specifies that the most recent version concerned by this campaign is version 2.5.2, released in November 2014,” it said.

“This version is not only no longer supported for more than five years, but has apparently also been deployed without respect for the security of servers and networks, including connections outside the entities concerned. Since this version, Centreon has released eight major versions.”

Centreon also made it clear that it had not been responsible for unwittingly distributing malicious code itself in a supply chain-style attack similar to SolarWinds.

As well as the BlackEnergy attacks in Ukraine, Sandworm has in the past been linked to cyber-espionage campaigns against NATO members and European governments in 2019. More relevant still were the attacks it launched against Exim email servers last year.