[SANS ISC] (Ab)Using Security Tools & Controls for the Bad, (Mon, Nov 8th)

As security practitioners, we give daily advices to our customers to increase the security level of their infrastructures. Install this tool, enable this feature, disable this  function, etc. When enabled, these techniques can also be (ab)used by attackers to perform nasty actions.

PAM or Pluggable Authentication Modules[1] is an old authentication system that is around since 1997! It allows you to extend the authentication capabilities of a system to interconnect with third party systems. PAM is available on all Linux flavours and used, amongst plenty of others, by the SSH daemon. By default, SSH allows you to authenticate via credentials or a key but they are plenty of other ways to authenticate a user. Via a centralised DB (LDAP, RADIUS, Kerberos) against a proprietary databases and much more.  It can also be used to raise the security level by implemented MFA (“Multi-Factor Authentication”). In 2009(!), I already wrote a blog post to explain how to use a Yubikey as second factor via PAM[2].

By reading this, you can imagine that the PAM sub-system, being part of the authentication, has access to a lot of sensitive information! Here is an example of credentials leaking technique that I found in the wild recently and it’s pretty easy to implement. In many organisations, bastion hosts are used to provide access to internal resources to admins, consultants, etc. They are used to “pivot” inside the network. 

If a bastion host is compromised (or a server or an admin end-point), some nasty PAM modules can be installed to automatically collect credentials. One of these modules is called “pam_steal”[3]. This module has only 40 lines of code and, once the attacker installed this plugin, it will collect and dump credentials into a flat file. This will then be collected by the attacker. No need to sniff, to decrypt data!

When dropped on the victim’s computer, the malicious module is just enabled by adding it to the /etc/pam.d/common-auth file. To protect against this kind of attack, a good idea is to use a FIM[4] (“File Integrity Monitor”) to detect changes performed in sensitive files like in /etc/pam.d.

[1] https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam
[2] https://blog.rootshell.be/2009/03/27/yubikey-authentication-on-linux/
[3] https://github.com/ONsec-Lab/scripts/tree/master/pam_steal
[4] https://isc.sans.edu/forums/diary/What+to+watch+with+your+FIM/20897

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[ThreatPost] Iranian APT Lures Defense Contractor in Catfishing-Malware Scam

All posts, ThreatPost

Fake aerobics-instructor profile delivers malware in a supply-chain attack attempt from TA456. Source: Read More (Threatpost)

Read More

[TheRecord] A malware botnet has made more than $24.7 million since 2019

The operators of a malware botnet known as MyKings are believed to have made more than $24.7 million through what security researchers call a “clipboard hijacker.” First spotted in 2016, the MyKings botnet has been one of the most sprawling malware operations in recent years. Also known as the Smominru or the DarkCloud botnet, this […]

Read More

Daily NCSC-FI news followup 2019-10-08

CISO series: Lessons learned from the Microsoft SOCPart 3a: Choosing SOC tools www.microsoft.com/security/blog/2019/10/07/ciso-series-lessons-learned-from-the-microsoft-soc-part-3a-choosing-soc-tools/ Over the course of the series, weve discussed how we operate our SOC at Microsoft. In the last two posts, Part 2a, Organizing people, and Part 2b: Career paths and readiness, we discussed how to support our most valuable resourcespeoplebased on successful […]

Read More