← Back to news

China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade

The Hacker News12/06/2026, 18:17
Read full article →

Summary

AI-Generated

Key Points:

  • A China-linked group, identified as Velvet Ant, has backdoored Linux login software components (PAM and OpenSSH) to maintain stealthy access for nearly a decade.
  • The attack impacts systems with compromised authentication mechanisms, allowing the group to log credentials and execute commands without detection. This poses significant risks to network integrity and security.
  • Recommended actions include implementing integrity checks on critical infrastructure components, especially those not subject to regular monitoring, and verifying the authenticity of PAM and OpenSSH modules.

Technical Details: The attackers modified trusted login programs to create backdoors that recorded user credentials. They also exploited CVE-2024-20399 in Cisco NX-OS switches for persistence after gaining admin access.

MITRE ATT&CK Techniques:

  • T1078 - Valid Accounts (Defense Evasion)
  • T1190 - Exploit Public-Facing Application (Initial Access)
  • T1003.001 - OS Credential Dumping: LSASS Memory (Credential Access)
  • T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys (Persistence)

IOCs Mentioned:

  • CVE-2024-20399

Join the discussion — sign up to comment, upvote, and save articles.

Discussion

or to comment
Loading...

Loading comments...

Join 5,000+ security professionals

Get access to curated threat intel, upvote articles, join discussions, and build your karma in the SOC community.