Chinese hackers have successfully infiltrated Linux login systems, remaining undetected for nearly a decade. This revelation sheds light on the sophisticated tactics employed by a group known as Velvet Ant, according to cybersecurity firm Sygnia. The hackers targeted fundamental components of the login process, making it challenging for defenders to identify and eliminate the threat.
Compromising Trusted Systems
Velvet Ant strategically backdoored the Pluggable Authentication Module (PAM) and OpenSSH components, crucial elements in the Linux login process. This approach allowed them to bypass traditional security measures and maintain access without detection. The targeted networks were isolated from the internet, necessitating the use of compromised internet-facing systems to establish a foothold.
The infiltration dates back to 2016, with hackers altering trusted login programs rather than introducing new malware. By modifying existing software, they evaded standard malware detection tools, making their activities appear as routine administration tasks. This method involved replacing the main PAM login module with altered versions that either provided hidden access or logged user credentials.
Advanced Infiltration Techniques
Velvet Ant’s operations extended beyond simple backdoors. They utilized sophisticated techniques to penetrate isolated networks, using disguised tools and compromised web servers to pass commands to internal systems. This allowed them to open remote sessions in segments without direct internet access.
Normal containment strategies proved ineffective as the hackers controlled the very systems responsible for credential verification. Even after detecting and eliminating a foothold, Velvet Ant would quickly shift to less monitored areas, continuing their operations undisturbed.
Implications for Cybersecurity
The group’s prior activities highlight their adaptability and persistence. In 2024, Sygnia identified similar tactics involving F5 BIG-IP appliances and a Cisco NX-OS vulnerability, CVE-2024-20399. These incidents underscore the importance of integrity checks on infrastructure that typically escapes rigorous monitoring.
This case emphasizes the need for comprehensive security measures beyond patching known vulnerabilities. Organizations must verify the integrity of trusted programs and systems, conducting thorough checks against known-good copies to detect unauthorized changes.
As cybersecurity threats evolve, it is crucial for organizations to enhance their monitoring capabilities and implement robust verification processes. This includes scrutinizing login files and key components like PAM and OpenSSH for any alterations.
Ultimately, the lessons from these incidents are clear: Even trusted systems require vigilant oversight, and security strategies must evolve to counter increasingly sophisticated threats.
