China-nexus group hid in Linux login system for nearly a decade

As detailed in The Hacker News, a sophisticated China-nexus threat group, tracked as Velvet Ant by Sygnia, has been discovered to have operated undetected on an organization's network for approximately 10 years by compromising the core Linux login system itself. Instead of relying on conventional malware, the group stealthily modified trusted components like PAM and OpenSSH, allowing them to maintain persistent access and exfiltrate credentials without triggering standard security alerts.

The group's operation, dubbed Operation Highland, involved backdooring the Pluggable Authentication Modules (PAM) and OpenSSH components, which are fundamental to user authentication on Linux systems. This allowed them to either bypass authentication with a secret password or silently capture legitimate user credentials. The targeted network was air-gapped, necessitating the use of internet-facing systems as a bridge to reach the isolated environment. Researchers identified nine distinct versions of the backdoored software, indicating a long-term and evolving campaign. The compromised login system rendered traditional containment measures ineffective, as password resets and session terminations did not address the root cause of the compromise.

This tactic aligns with Velvet Ant's known modus operandi, which includes exploiting trusted infrastructure like F5 BIG-IP appliances and Cisco NX-OS devices in previous attacks. The implications for cybersecurity are significant, highlighting the need for integrity checks on critical infrastructure components, including the login layer, and emphasizing proactive threat hunting over reactive alerting.

Source: The Hacker News