Group-IB’s DFIR team uncovered a new way hackers exploit Linux’s Pluggable Authentication Modules (PAM) to create long-lasting backdoors in compromised systems. This method, which is not yet in the MITRE ATT&CK framework, abuses “pam_exec” during SSH authentication to execute malicious scripts. Attackers can silently extract sensitive data (usernames, environment variables, authentication details) to remote servers, even during failed logins, bypassing traditional security measures.
Double-edged sword
PAM is a system that handles user authentication and authorization on Linux systems. It’s built to be flexible, allowing administrators to configure different authentication methods like passwords, LDAP, or biometrics using various modules. This same flexibility, however, is what hackers exploit.
“pam_exec”, one of the PAM modules, allows the system to run external commands or scripts during authentication. By modifying the PAM configuration, attackers can use “pam_exec” to execute their malicious scripts during SSH login attempts—whether the login succeeds or fails. These scripts can steal sensitive data and send it to a remotely controlled server, all while avoiding detection by traditional logging systems.
An indelible print on the icy igloo floor
This attack gives hackers a lasting presence in compromised systems. Since PAM passes data like usernames and authentication information in plaintext, malicious actors can intercept these details to create backdoors or steal user credentials. Once inside, they can maintain access for extended periods, making it harder for organizations to detect and remove them.
Penguins, brandish your beaks and there will be no leaks
To prevent this, organizations need better security measures. “Privilege Management for Unix & Linux (PMUL)” is a tool that can help block unauthorized commands, and “File Integrity Monitoring (FIM)” can detect changes in configuration files, spotting suspicious activity early on. It’s also important to closely monitor how PAM modules are used, especially in sandboxed environments, to catch any misuse of “pam_exec”.
As Linux continues to be a major target for attacks, this discovery serves as a warning to reinforce defenses. Group-IB encourages organizations to be proactive in securing their Linux systems.
Comments