The Group-IB DFIR Team has identified a new technique that exploits the pam_exec module to gain privileged shell access and establish persistent control on compromised hosts.

The flexibility of the Pluggable Authentication Module (PAM) poses risks, particularly with pam_exec, which can be used to run malicious scripts. These scripts can be injected into PAM configurations, allowing attackers to maintain access and manipulate authentication processes undetected. PAM’s plaintext transmission of values and lack of secure password storage further exacerbate the risk.

Find out more on our blog, and review your PAM configurations to protect against this vulnerability.

#CyberSecurity #DFIR #ThreatHunting #PAM #MITREATTACK #FightAgainstCybercrime