The Group-IB Digital Forensics and Incident Response (DFIR) team has uncovered a novel technique that exploits Linux’s Pluggable Authentication Modules (PAM) to create persistent backdoors on compromised systems.
This technique not yet included in the MITRE ATT&CK framework, involves the abuse of the pam_exec module to gain privileged access and maintain a foothold on targeted hosts.
PAM is an adaptable framework constructed with shared libraries to oversee user authentication and authorization across multiple applications. It segregates the authentication procedure from specific applications, providing increased flexibility.
The pam_exec module in Linux allows the execution of external commands or scripts during the PAM (Pluggable Authentication Modules) authentication process. It provides a way to extend and customize authentication behavior by running arbitrary commands at different stages of the authentication flow.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
Exploiting the Flexibility of PAM
PAM, a suite of libraries designed to manage user authentication and authorization on Linux systems, is known for its flexibility and modularity.
Administrators can configure PAM to use various authentication methods, such as local passwords, LDAP, or biometric data, by selecting appropriate modules. However, malicious actors have now turned this very flexibility against the system.
The Group-IB team found that attackers manipulate the PAM configuration related to SSH authentication to invoke the pam_exec module.
By modifying the configuration file to execute a malicious script during SSH authentication attempts, the attackers could silently perform malicious actions, even if the login attempt failed. This technique ensures that no traces of data exfiltration appear in system logs, making forensic investigations more challenging.
The malicious script executed via pam_exec can transfer sensitive data, such as usernames, environment variables, and authentication details, to a remote server controlled by the attackers. This stealthy exfiltration method bypasses traditional security monitoring, as failed login attempts are often overlooked.
Moreover, by tampering with PAM modules, attackers can create backdoors or steal user credentials, especially since PAM does not store passwords but transmits values in plaintext. This vulnerability allows malicious actors to establish persistent control over compromised systems, making detection and remediation efforts significantly more difficult.
Proactive Defenses and Monitoring
Organizations must adopt proactive defenses and enhanced monitoring strategies to combat this emerging threat. Privilege Management for Unix & Linux (PMUL) can help prevent unauthorized access by replacing high-risk commands like vi with restricted versions like pbvi. Additionally, file integrity monitoring (FIM) can aid in the early detection of suspicious configuration changes.
Monitoring PAM API usage in sandboxed environments is crucial for identifying potential security threats. The discovery of this PAM exploitation technique serves as a wake-up call for the Linux community.
As open-source systems, Linux distributions benefit from the contributions of security experts who continuously work to address vulnerabilities. However, the modular nature of PAM introduces risks that must be carefully managed.
The Group-IB team continues to investigate this technique and its potential impact; organizations must prioritize the security of their Linux systems and invest in robust defenses against PAM-based attacks.
Download Free Incident Response Plan Template for Your Security Team – Free Download