Persistent backdoors via Linux pluggable authentication modules: a new threat

Read Time:1 Minute, 43 Second

Recent research by the Group-IB Digital Forensics and Incident Response (DFIR) team has revealed a novel technique exploiting Linux’s Pluggable Authentication Modules (PAM) to create persistent backdoors on compromised systems.

Exploiting PAM’s Flexibility

PAM is a flexible framework that allows administrators to configure authentication and authorization processes using shared libraries. However, attackers have found a way to abuse the pam_exec module to gain privileged access and maintain a foothold on targeted hosts.

Technique Overview

Malicious actors modify the PAM configuration related to SSH authentication to invoke the pam_exec module. By executing a malicious script during login attempts, they can perform stealthy actions, even if the login attempt fails.

Consequences of Exploitation

  • Data exfiltration: The malicious script can transfer sensitive information such as usernames, environment variables, and authentication details to a remote server.
  • Backdoor creation: Attackers can establish persistent control over compromised systems by creating backdoors.
  • Credential theft: Since PAM transmits values in plaintext, attackers can steal user credentials. Proactive Defenses To mitigate this emerging threat, organizations should adopt proactive defenses:
  • Privilege Management: Use Privilege Management for Unix & Linux (PMUL) to restrict high-risk commands.
  • File Integrity Monitoring: Deploy file integrity monitoring (FIM) to detect suspicious configuration changes.
  • PAM API Monitoring: Monitor PAM API usage in sandboxed environments to identify potential threats.

The discovery of this PAM exploitation technique is a wake-up call for the Linux community. Organizations must prioritize the security of their Linux systems and invest in robust defenses against PAM-based attacks. The Group-IB team continues to investigate this technique and its potential impact, and it is crucial to stay vigilant and adopt proactive measures to protect against persistent backdoors.

Conclusion

The discovery of this PAM exploitation technique is a wake-up call for the Linux community. Organizations must prioritize the security of their Linux systems and invest in robust defenses against PAM-based attacks. The Group-IB team continues to investigate this technique and its potential impact, and it is crucial to stay vigilant and adopt proactive measures to protect against persistent backdoors.

Leave a Reply

Your email address will not be published. Required fields are marked *