New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials
Summary
A new Linux backdoor called PamDOORa has been discovered, advertised on a Russian cybercrime forum. This backdoor leverages Pluggable Authentication Modules (PAM) to establish persistent SSH access using a magic password and a specific TCP port.
IFF Assessment
FOE
This backdoor poses a direct threat to defenders by enabling unauthorized and persistent access to sensitive systems.
Defender Context
Defenders should be aware of this new PAM-based backdoor and the tactics it employs, particularly the use of magic passwords for SSH authentication. Monitoring for unusual PAM module activity and unexpected SSH connections on specific ports should be prioritized.