Today’s Topics:
- New Linux ‘Plague’ PAM Backdoor Enables Silent SSH Credential Theft
- Akira Ransomware Exploits SonicWall VPNs in Likely Zero-Day Attacks
- How can Netizen help?
New Linux ‘Plague’ PAM Backdoor Enables Silent SSH Credential Theft
Security researchers have identified a previously undocumented Linux backdoor called Plague, which leverages the Pluggable Authentication Module (PAM) framework to silently compromise systems and maintain persistent access. According to research from Nextron Systems, the malware has remained undetected for nearly a year, highlighting the growing sophistication of Linux-targeted threats.
Pluggable Authentication Modules are core components of Linux and UNIX-based authentication systems, handling user logins and authentication requests for services such as SSH. By embedding itself as a malicious PAM module, Plague can:
- Bypass authentication checks and allow attackers to log in without valid credentials
- Silently steal user credentials during legitimate login attempts
- Maintain persistent SSH access without triggering standard monitoring tools
Because PAM modules operate with elevated privileges and integrate directly into the authentication stack, a rogue module like Plague can operate without leaving typical forensic artifacts.
Researchers discovered several Plague samples uploaded to VirusTotal since July 29, 2024, none of which were flagged as malicious. This suggests both active development and effective evasion techniques. The malware demonstrates a strong focus on stealth through several key behaviors:
- Static credentials for covert access that allow attackers to log in without leaving a standard audit trail
- Anti-debugging and obfuscation to resist reverse engineering and analysis
- Audit trail wiping by unsetting environment variables like SSH_CONNECTION and SSH_CLIENT and redirecting HISTFILE to /dev/null to prevent shell command logging
- Persistence through system updates by integrating deeply into the authentication stack
As researcher Pierre-Henri Pezier noted, this combination of obfuscation, environment tampering, and deep integration makes Plague exceptionally hard to detect using traditional Linux security tools.
Plague represents a high-risk threat to organizations relying on Linux servers for critical applications, including web hosting, finance, and cloud environments. PAM-based implants allow attackers to establish long-term footholds, conduct credential theft, and potentially escalate attacks into broader supply chain compromises.
While attribution remains unknown, the discovery of multiple variants indicates an ongoing campaign or the active testing of new features by threat actors.
To defend against backdoors like Plague, organizations should adopt enhanced Linux security monitoring and forensic readiness:
- Monitor for unauthorized PAM modules in /lib/security or equivalent directories
- Audit system logs for unexpected SSH access patterns or disabled history logging
- Deploy host-based intrusion detection with a focus on file integrity monitoring for authentication-related libraries
- Conduct regular memory and file system scans using YARA rules for Linux-specific malware
- Enforce principle of least privilege and multi-factor authentication for all SSH access to reduce the impact of credential theft
Akira Ransomware Exploits SonicWall VPNs in Likely Zero-Day Attacks
Security researchers have observed a spike in Akira ransomware campaigns targeting SonicWall SSL VPN appliances, with evidence suggesting the possible use of a zero-day vulnerability. The activity, first noted in mid-July 2025, has impacted even fully-patched devices, raising significant concerns for organizations relying on SonicWall for remote access.
According to Arctic Wolf Labs, the intrusions involve multiple pre-ransomware compromises executed in rapid succession, all of which leveraged VPN access through SonicWall SSL VPNs. Researcher Julian Tuin reported that in the reviewed cases, a very short interval separated the initial VPN login from the onset of ransomware encryption.
The company’s analysis indicates that the attacks may exploit an as-yet-undisclosed flaw in SonicWall appliances, although credential-based compromises have not been ruled out. Evidence of malicious VPN activity dates as far back as October 2024, pointing to a sustained campaign against these devices.
One notable characteristic of these intrusions is the difference in VPN login behavior compared to legitimate users. While authorized logins typically originate from broadband ISP networks, ransomware operators often authenticate through Virtual Private Server (VPS) hosting environments to disguise their activity and facilitate automated lateral movement.
Akira ransomware, first observed in March 2023, has become a prominent threat actor in the global ransomware ecosystem. By early 2024, it was credited with generating approximately $42 million in illicit profits from over 250 victims.
Check Point’s recent statistics show that Akira was the second most active ransomware group in Q2 2025, behind Qilin, claiming 143 victims in that quarter. Analysts also note that Akira maintains a regional focus on Italian enterprises, with 10% of its observed victims based in Italy, compared to 3% in the general ransomware landscape.
Given the high likelihood that the SonicWall attacks involve an unpatched zero-day vulnerability, organizations are urged to take immediate defensive measures:
- Consider temporarily disabling the SonicWall SSL VPN service until a patch or official mitigation is released
- Enforce multi-factor authentication (MFA) for all remote access to limit the impact of credential theft
- Remove unused or inactive local firewall user accounts to reduce potential attack vectors
- Maintain strong password hygiene and monitor VPN access logs for anomalous patterns
Until a vendor fix becomes available, treating these appliances as potentially exposed is prudent for reducing the risk of Akira ransomware intrusions.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
