Rapport ANSSI – Q&A Centreon

Context for this FAQ

On February 15, the French national agency for the security of information systems, ANSSI, reported on an intrusion campaign targeting an obsolete and unsupported version of the free, open-source monitoring software Centreon (version 2.5.2, released Nov. 2014) which affected about fifteen unidentified French companies from 2017 to 2020, none of which were Centreon clients. This FAQ will help answer your questions on the ANSSI report. Should you require additional information, please contact our team of experts.

What is ANSSI and what was the report about?

ANSSI is a national authority that reports to the French General Secretary for Defence and National Security (SGDSN) on matters of national defence and security. The report concerned an intrusion campaign that took place between 2017 and 2020 on about fifteen unidentified French companies, mostly IT firms and web hosting companies that were running an outdated and unsupported version of the Centreon open-source monitoring software.

Was this a supply chain type of attack?

No, this was not a supply chain type of attack. In a statement following the report’s disclosure, ANSSI confirmed that the Centreon software did not distribute or contribute to propagate malicious code. The campaign they were reporting on was not a supply chain type attack and no parallel could be made with other attacks of this type. In addition, ANSSI specified that the campaign was over, and no malicious activity could be observed at this time. 

Which organizations were affected?

The ANSSI report did not disclose which organizations were affected by the campaign, only stating they were mostly IT firms and particularly web hosting companies. These organizations were not Centreon clients and we could not identify them. 250,000 IT pros use the free open-source Centreon software around the world. If you are a current user or considering using the free Centreon open-source software, make sure you use a version that’s currently supported. You can download the latest version here.

How can I find out if my organization might have been affected by this campaign?

Use this guide for instructions to check which version of the Centreon open-source software your organization is using and scan for potential illegitimate files. The campaign concerned an out-of-date version of the open-source software, version 2.5.2, stored on Internet-exposed servers. If you see you’re not using the latest Centreon Open Source version, update your software, making sure to always use the most recent version.

What was the impact of the intrusion campaign?

Because no Centreon clients were impacted, and since the campaign concerns unnamed users of an obsolete and unsupported free open-source version, it is difficult to assess what impact the campaign had for these users. Centreon issued a guide to help open-source users search for the existence of potential illegitimate files.

Were Centreon customers affected?

No Centreon customers were affected by the campaign reported by ANSSI. In addition, ANSSI confirmed that no malicious activity could be observed at this time.

We use Centreon or we’re considering using Centreon, what do you advise? 

If you’re using one of Centreon’s commercial editions or a recent version of the Centreon open-source software, you are not concerned by this issue. If you are running an outdated version of the software, refer to this guide to ensure you’re not exposed to potential vulnerabilities and update to the latest version of the software. If you are considering using a Centreon software product, contact our team of experts for more information and insights.  

What can we do to protect against such security vulnerabilities?

Follow the ANSSI IT Health Recommendations and use updated and supported software versions, especially within the context of production environments. We recommend that you follow the ANSSI guide “Configuration Recommendations of a GNU/Linux System.” Section 4 and 5 of this guide also provide some important recommendation to running a secure Centreon platform.

Is this comparable to the recent SolarWinds breach?

Late 2020 it was reported that hackers altered SolarWinds IT monitoring application in order to use it to breach a number of networks, including half a dozen US federal agencies. Hackers compromised the infrastructure of SolarWinds and used that access to trojanize and distribute updates to users of the company’s monitoring software called Orion. Although ANSSI reported a campaign involving Centreon servers, the nature and results of the attack were completely different. The servers that were breached were housing an outdated, unsupported version of the Centreon open-source software and were exposed to the Internet, a situation that is contrary to safe IT practices. The Centreon software itself was not compromised and it did not distribute or contribute to propagate malicious code. ANSSI confirmed that the campaign involving Centreon is not a supply chain type attack and no parallel with other attacks of this type can be made in this case.