Sandworm’s central focus
According to the report, the Sandworm group has been targeting an IT monitoring software Centreon, which resulted in the breach of several French entities since at least 2017.
The series of attacks abusing Centreon software have mostly affected multiple French IT providers, especially web hosting providers over a span of four years.
The recent campaign has several similarities with previously observed Sandworm attacks. Although, the server compromise vector is not yet known.
The group has been deploying Exaramel and PAS web shell (aka Fobushell) backdoors on the compromised servers of the impacted organization networks.
While connecting to the backdoors, attackers used public and commercial VPN and anonymization services such as Tor network, EXpressVPN, VPNBook, and PrivateInternetAccess (PIA).
Previous attacks
In mid-2020, the Sandworm group was very active and it mainly leveraged vulnerabilities in the Exim Mail Transfer Agent (MTA) in their campaigns.
In June 2020, the Sandworm Team had exploited three flaws (CVE-2019-10149, CVE-2019-15846, and CVE-2019-16928) in the Exim MTA.
In May 2020, the Sandworm group was found targeting a bug in Exim MTA using the hacked servers as an initial infection point on target systems and likely pivoting to other parts of the victim's network.
Conclusion
Sandworm, which is the creator of NotPetya ma ..
Support the originator by clicking the read the rest link below.