China-linked Velvet Ant hid in Linux login software for nearly a decade
Sygnia has detailed Operation Highland, a campaign in which the China-linked group Velvet Ant hid inside the Linux authentication stack itself for close to a decade, with traces back to 2016. Instead of dropping detectable malware, the attackers replaced the trusted PAM login module (pam_unix.so) and OpenSSH binaries with backdoored versions, found in nine distinct variants. Some accepted a hardcoded secret password; others silently logged real usernames, passwords, and every command typed, with a hidden switch to turn logging off. Because login programs are trusted and rarely inspected, the activity looked like normal administration and evaded scanners on a network with no direct internet access.
- Check
- Integrity-check PAM modules (pam_unix.so) and OpenSSH binaries on Linux hosts against known-good hashes from your distribution, and watch for logins succeeding with unexpected or hardcoded credentials.
- Affected
- Linux environments, especially internal servers and appliances without endpoint detection, where attackers with prior access can replace authentication binaries; high-value, long-dwell espionage targets are most at risk.
- Fix
- Reinstall PAM and OpenSSH from trusted distribution packages, rotate all credentials that may have been harvested, deploy file-integrity monitoring on authentication binaries, and extend detection to appliances lacking EDR.