The Group-IB DFIR Team has identified a new technique that exploits the pam_exec module to gain privileged shell access and establish persistent control on compromised hosts.
The flexibility of the Pluggable Authentication Module (PAM) poses risks, particularly with pam_exec, which can be used to run malicious scripts. These scripts can be injected into PAM configurations, allowing attackers to maintain access and manipulate authentication processes undetected. PAM’s plaintext transmission of values and lack of secure password storage further exacerbate the risk.
Find out more on our blog, and review your PAM configurations to protect against this vulnerability.
#CyberSecurity #DFIR #ThreatHunting #PAM #MITREATTACK #FightAgainstCybercrime
The flexibility of the Pluggable Authentication Module (PAM) poses risks, particularly with pam_exec, which can be used to run malicious scripts. These scripts can be injected into PAM configurations, allowing attackers to maintain access and manipulate authentication processes undetected. PAM’s plaintext transmission of values and lack of secure password storage further exacerbate the risk.
Find out more on our blog, and review your PAM configurations to protect against this vulnerability.
#CyberSecurity #DFIR #ThreatHunting #PAM #MITREATTACK #FightAgainstCybercrime
🔥10❤3👍2👏1
Pluggable Authentication Modules (PAM) are at the heart of Linux and Solaris authentication—but what happens when that core component is compromised?
In our latest Group‑IB blog post, we examine a sophisticated attack vector in which threat actors modify the pam_unix.so module to harvest plaintext credentials and evade detection. Key takeaways include:
✅ Real‑World Case Studies: How UNC1945 and UNC2891 leveraged PAM backdoors on Solaris and Linux systems
✅ Detection Strategies: Best practices for module integrity audits, file integrity monitoring and SIEM alerting
✅ Mitigation Playbook: Step‑by‑step guidance on disabling password authentication, enforcing key‑only SSH, and securing private keys
Whether you’re responsible for infrastructure security or compliance, this analysis provides actionable insights to strengthen your authentication layer and reduce risk.
🔗 Read the full report here
#CyberSecurity #PAM #ThreatIntel #FightAgainstCybercrime
In our latest Group‑IB blog post, we examine a sophisticated attack vector in which threat actors modify the pam_unix.so module to harvest plaintext credentials and evade detection. Key takeaways include:
✅ Real‑World Case Studies: How UNC1945 and UNC2891 leveraged PAM backdoors on Solaris and Linux systems
✅ Detection Strategies: Best practices for module integrity audits, file integrity monitoring and SIEM alerting
✅ Mitigation Playbook: Step‑by‑step guidance on disabling password authentication, enforcing key‑only SSH, and securing private keys
Whether you’re responsible for infrastructure security or compliance, this analysis provides actionable insights to strengthen your authentication layer and reduce risk.
🔗 Read the full report here
#CyberSecurity #PAM #ThreatIntel #FightAgainstCybercrime
👍6❤4🔥1🙏1