Summary
Key Points:
- A China-linked group, identified as Velvet Ant, has backdoored Linux login software components (PAM and OpenSSH) to maintain stealthy access for nearly a decade.
- The attack impacts systems with compromised authentication mechanisms, allowing the group to log credentials and execute commands without detection. This poses significant risks to network integrity and security.
- Recommended actions include implementing integrity checks on critical infrastructure components, especially those not subject to regular monitoring, and verifying the authenticity of PAM and OpenSSH modules.
Technical Details: The attackers modified trusted login programs to create backdoors that recorded user credentials. They also exploited CVE-2024-20399 in Cisco NX-OS switches for persistence after gaining admin access.
MITRE ATT&CK Techniques:
- T1078 - Valid Accounts (Defense Evasion)
- T1190 - Exploit Public-Facing Application (Initial Access)
- T1003.001 - OS Credential Dumping: LSASS Memory (Credential Access)
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys (Persistence)
IOCs Mentioned:
- CVE-2024-20399
Join the discussion — sign up to comment, upvote, and save articles.