China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade
The Hacker News • • technology
Key Points:
- A China-linked group known as Velvet Ant spent nearly a decade hiding backdoors in the Linux login system, specifically targeting PAM and OpenSSH components to maintain stealthy access.
- The attackers modified trusted login programs to log credentials and commands or allow secret access, making their activity appear as normal administration and evading detection by standard security measures.
- The group used internet-facing systems as staging points to reach isolated networks with no direct internet access, passing commands through compromised infrastructure like web servers and network devices.
- Velvet Ant has a history of targeting less-monitored infrastructure, including F5 BIG-IP appliances and Cisco NX-OS switches, using vulnerabilities and backdoors for persistence rather than direct exploits.
- Defenders are urged to monitor and verify the integrity of login-related files and infrastructure components regularly, as traditional containment methods like password resets are ineffective when the login system itself is compromised.