China-linked hackers hid in authentication system for years
▼ Summary
– The China-linked cyber espionage group Velvet Ant remained undetected inside an organization’s internal network for nearly a decade.
– Velvet Ant achieved stealthy persistence by backdooring privilege access management modules and OpenSSH binaries across multiple hosts.
– The group modified PAM modules to accept a hardcoded password for bypassing authentication and silently log user credentials.
– Modified SSH binaries captured credentials from all connections, logged commands, and stored data in encrypted files disguised within the filesystem.
– Eradicating Velvet Ant was difficult because replacing compromised authentication components risked locking administrators out of hosts, especially across varied Linux systems.
A state-aligned cyber espionage group linked to China, known as Velvet Ant, successfully evaded detection for nearly a decade within an unnamed organization’s internal network, according to a forensic report from cybersecurity firm Sygnia.
The hallmark of this group is its ability to maintain stealthy, years-long persistence within targeted environments. In this case, removing them proved exceptionally difficult because they had seized control of the entire authentication stack by backdooring privileged access management (PAM) modules and OpenSSH binaries across multiple hosts.
The report does not specify how Velvet Ant first breached the organization’s internet-facing servers, but it details their subsequent moves. They deployed a modified version of the GS-Netcat utility to establish a reverse shell to a remote command-and-control (C2) server. From there, they used altered Nginx configurations and a custom binary to initiate SSH connections to internal servers via HTTP POST requests. For tunneling and lateral movement, they employed a custom implementation of the open-source ssspl SOCKS5 proxy server.
The most significant phase of the intrusion was the takeover of the authentication layer. Velvet Ant modified the PAM modules responsible for verifying logins and the OpenSSH binaries used for remote access. One altered PAM module could either accept a hardcoded password to bypass authentication entirely, or silently log every legitimate username and password to a hidden file. “Nine distinct pam_unix.so variants were identified, each built in a separate compile environment – the level of effort required to produce and maintain these variants points to a well-resourced, deliberate operation,” the analysts noted.
The compromised SSH binaries went further, capturing credentials from both incoming and outgoing connections and logging every command typed during active sessions. This data was stored in encrypted files disguised to blend into the filesystem. For added stealth, a custom flag in these binaries could suppress credential and key logging, while another allowed the binary to disguise its process name to match system processes. As a third layer of persistence, they appended their own keys to the authorized_keys files on compromised servers, granting password-free access that would survive a full password rotation.
Eradicating Velvet Ant required more than deleting a rogue file or disabling a service. Removing one or two of the three persistence mechanisms would not suffice. “From an eradication perspective, replacing a malicious service is one thing, while replacing PAM modules and OpenSSH binaries is another. A wrong package, incompatible binary or a missing dependency can completely lock administrators out of a host. In critical infrastructure, that can turn remediation into a production outage,” Sygnia warned.
The diverse range of Linux distributions and versions on the affected servers added complexity, as remediation packages had to be tailored for each. Every replacement required testing before installation on production systems, and the team prepared rollback options for various failure scenarios.
“[This operation] is a case study in why signature-based detection and alert-driven security operations fall short against a patient, capable threat actor,” the report concluded. “There was no novel exploit to catch; no clearly malicious binary dropping into a monitored directory. Velvet Ant operates through pam_unix.so, sshd, and ssh – components that exist on virtually every Linux host in the environment, that behave normally for legitimate users, and that generate no anomalous log entries when backdoored. The attacker’s presence was, by design, indistinguishable from legitimate administrative activity.”
Sygnia recommends that organizations deploy a variety of critical security controls and engage in proactive threat hunting. “Proactive threat hunting shifts the analytical frame from ‘what is known to be malicious’ to ‘what is inconsistent, unexpected, or unjustified in this environment.’ That distinction matters enormously in segmented or high-sensitivity networks, where the assumption of isolation can create a false sense of security,” they added.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
(Source: Help Net Security)
