Linux backdoors created by abusing Pluggable Authentication Modules

September 7, 2024
1 min read



TLDR:

Key Points:

  • Group-IB DFIR team discovers new technique exploiting Linux’s PAM to create backdoors
  • Attackers use pam_exec module to execute malicious scripts during SSH authentication

The Group-IB DFIR team has uncovered a new technique that exploits Linux’s Pluggable Authentication Modules (PAM) to create persistent backdoors on compromised systems. By abusing the pam_exec module during SSH authentication, attackers can execute malicious scripts and perform stealthy data exfiltration without leaving traces in system logs. The modular nature of PAM introduces risks that must be carefully managed, and organizations are advised to adopt proactive defenses and monitoring strategies to combat this emerging threat. It is crucial for the Linux community to prioritize the security of their systems and invest in robust defenses against PAM-based attacks.


Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and