Linux PAM Exploit Creates Persistent Backdoors: What You Need to Know

Group-IB’s Digital Forensics and Incident Response (DFIR) team uncovered a new technique that exploits Linux's Pluggable Authentication Modules (PAM) to establish persistent backdoors on compromised systems. Although not yet included in the MITRE ATT&CK framework, this novel attack involves abusing the pam_exec module to gain privileged access.PAM is an adaptable framework designed to manage user authentication and authorization across applications. Its flexibility, however, can be turned against Linux systems. Attackers exploit this flexibility by modifying SSH authentication configurations to invoke the pam_exec module.
PAM

How the Attack Works

The pam_exec module allows external scripts or commands to run during the PAM authentication process. By tweaking the configuration file, attackers use this module to execute malicious scripts during SSH authentication attempts. Even when login attempts fail, these scripts can run without raising alarms, allowing malicious actions to take place in the background.

For instance, the attackers can silently exfiltrate sensitive data, like usernames and environment variables, to remote servers under their control. Traditional security measures may miss this activity since failed login attempts typically don’t generate significant scrutiny in system logs.

Persistent Backdoors Through PAM Manipulation

By manipulating PAM modules, attackers can establish backdoors or steal user credentials. PAM doesn’t store passwords but transmits values in plaintext, which opens up further opportunities for attackers to maintain control over the system. This makes detection and remediation efforts difficult, especially since the attacks leave minimal traces.

Proactive Defenses and Monitoring

To combat this emerging threat, organizations need proactive defenses. Solutions like Privilege Management for Unix & Linux (PMUL) help by replacing high-risk commands with restricted versions. Additionally, File Integrity Monitoring (FIM) can help identify suspicious changes in configuration files early on.

Monitoring PAM API usage in sandboxed environments also helps detect potential threats before they can do significant damage. Given the modular nature of PAM, managing these risks is critical to maintaining the security of Linux systems.

Conclusion

The discovery of this PAM exploitation technique highlights the need for robust defenses in Linux environments. As attackers continue to find new ways to manipulate system components like PAM, organizations must stay vigilant and adopt advanced monitoring and preventive strategies to protect their systems from backdoor creation and other malicious activities.

Click below and ‘share’ this article!