TLDR:
Key Points:
- Group-IB DFIR team discovers new technique exploiting Linux’s PAM to create backdoors
- Attackers use pam_exec module to execute malicious scripts during SSH authentication
The Group-IB DFIR team has uncovered a new technique that exploits Linux’s Pluggable Authentication Modules (PAM) to create persistent backdoors on compromised systems. By abusing the pam_exec module during SSH authentication, attackers can execute malicious scripts and perform stealthy data exfiltration without leaving traces in system logs. The modular nature of PAM introduces risks that must be carefully managed, and organizations are advised to adopt proactive defenses and monitoring strategies to combat this emerging threat. It is crucial for the Linux community to prioritize the security of their systems and invest in robust defenses against PAM-based attacks.