The PAM and OpenSSH Compromise
A China-linked advanced persistent threat group tracked as Velvet Ant has been found hiding inside Linux login software for close to a decade. Security firm Sygnia reported that the attackers backdoored core components of the Pluggable Authentication Modules (PAM) and OpenSSH, which are the systems responsible for authenticating user logins. By modifying the trusted login programs themselves, the group avoided deploying new malware that security scanners might detect. The earliest traces of this activity date back to 2016. Nine separate versions of the backdoored PAM login module were identified, some allowing access with a secret password while others silently recorded legitimate usernames and passwords. The OpenSSH programs were similarly altered to log credentials and every command typed, but with a hidden switch to disable logging when the attackers were active.
The Multi Stage Attack Chain
Reaching the isolated target network, which had no direct internet access, required additional steps. The attacker used disguised tools and an internet facing web server as a bridge, passing commands through it to open remote sessions deep inside the segment. This approach made normal containment measures ineffective, as password resets and session terminations fail when the authentication system itself is compromised. This pattern of operation is consistent with Velvet Ant’s known tactics. In a 2024 incident, Sygnia found the same actor using internet exposed F5 BIG-IP appliances as internal command servers. Later that year, the group exploited a Cisco NX-OS vulnerability (CVE-2024-20399) to plant backdoors on network switches, a bug that requires prior admin access and serves as a persistence mechanism rather than a remote exploitation vector.
Source: The Hacker News
