Chinese hackers took control of a target organization's authentication stack and maintained persistence for 10 years, with full visibility into the administrative activity.
Dubbed "Operation Highland," the intrusion is attributed to the Velvet Ant cyberespionage threat group, which targeted vulnerable internet-facing systems before pivoting to a network with no direct external path.
Chinese hackers of the “Velvet Ant” activity cluster breached the isolated critical infrastructure network of a large organization and conducted cyber-espionage operations for 10 years.
The campaign, dubbed “Operation Highland” by Sygnia researchers who discovered it, began in 2016, targeting vulnerable internet-facing systems before pivoting to an “air-gapped” environment with no direct internet connection.
Velvet Ant’s lengthy espionage operations were documented in 2024, when Sygnia warned of a campaign targeting F5 BIG-IP devices that operated undetected for three years.
Also in 2024, Cisco warned of a zero-day in NX-OS running on Nexus switches, which was exploited by Velvet Ant to gain access to targets.
Velvet Ant attack chain
The attack begins with the compromise of internet-facing servers, though the researchers don’t mention the specific product or any vulnerability used.
Velvet Ant deployed a modified GS-Netcat reverse shell disguised as a legitimate system component that connected to a hardcoded relay domain, providing encrypted remote shell access.
The shell achieved persistence either via a malicious systemd service or through startup script modification.
Dissasembler showing the use of GS-Netcat Source: Sygnia
Next, Velvet Ant installed a custom SOCKS5 proxy for network traffic tunneling, enabling it to reach internal systems that are not directly accessible from the internet.
The proxy ran as a daemon masquerading as ‘smbd -D,’ using different filenames and ports on each host, and turning compromised servers into internal pivot points.
SOCKS5 proxy script Source: Sygnia
The most interesting part of the attack was building a remote execution path into the isolated network.
To achieve this, Velvet Ant modified the configuration of a compromised internet-facing Nginx server to proxy specially crafted requests to a compromised backend server.
The backend server's Nginx configuration was also altered to forward requests to a FastCGI process (fcgiwrap) listening on a separate port.
The FastCGI wrapper acted as an execution bridge, processing requests and launching a custom binary named ‘uptime.’
The tool established SSH connections to systems within the isolated critical infrastructure network using parameters supplied in HTTP POST requests.
"By chaining these modifications, Velvet Ant established a remote-execution path into the segregated environment via simple HTTP requests, with no direct connection to the critical infrastructure network ever required." - Sygnia
Having established their access into the isolated environment, Velvet Ant shifted focus to long-term persistence and credential theft by targeting Linux Pluggable Authentication Modules (PAM), a set of libraries that let administrators set up methods to authenticate users.
The attackers replaced legitimate ‘pam_unix.so’ modules with backdoored versions that accept hardcoded passwords and harvest user credentials.
Sygnia identified nine distinct variants of the malicious PAM module, each compiled in a separate build environment, indicating a well-resourced threat actor.
The researchers say that two of the malicious PAM modules stand out for acting as a backdoor only and for collecting credentials.
Velvet Ant actors also replaced OpenSSH components such as ssh, sshd, and scp with trojanized versions that captured credentials, logged commands entered during SSH sessions, and stored the collected data locally for future retrieval.
Sygnia says that by extending control to the authentication process by modifying the PAM and OpenSSH components, the threat actor had access to credentials as they were used in the target environment and could bypass the authentication flow.
"Administrative activity became fully observable: every login; every command executed across compromised hosts. Access was no longer tied to a specific foothold but embedded into the authentication process itself," the researchers explain.
This way, the hackers ensured their persistence despite password changes and session terminations, and reduced "the effectiveness of conventional containment measures."
Complex cleanup
Sygnia says even after discovering the compromise, remediating it and removing Velvet Ant from the compromised environment was particularly complicated.
The threat actors had replaced so many critical components with custom versions that removing them was likely to break authentication, lock legitimate administrators out, and cause operational outages.
To tackle this problem, the researchers built a testing lab to validate the binary replacement process, profiled each host, tested the results, and prepared rollback procedures before attempting the cleanup.
Sygnia recommends that defenders treat authentication components such as PAM, OpenSSH, and Windows LSASS as critical security assets and protect them with EDR, file integrity monitoring, hardened privileged access, multi-factor authentication (MFA), and continuous monitoring for unauthorized modifications.
Organizations should plan for offline recovery, which includes strict backups with an adequate schedule for automatically creating snapshots with immutable copies.
The restoration process should consider testing the backups and recovery hosts running operating systems that have been validated, along with the recovery scripts.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now
<small>Source: Bleeping Computer</small>
