Introduction to Operation Highland
Chinese hackers, known as the Velvet Ant group, breached an isolated critical infrastructure network and conducted cyber-espionage operations for 10 years, starting in 2016. The campaign, dubbed "Operation Highland" by Sygnia researchers, targeted vulnerable internet-facing systems before pivoting to an "air-gapped" environment with no direct internet connection.
Velvet Ant's Attack Chain
The attack begins with the compromise of internet-facing servers, though the researchers don’t mention the specific product or any vulnerability used. Velvet Ant deployed a modified GS-Netcat reverse shell disguised as a legitimate system component that connected to a hardcoded relay domain, providing encrypted remote shell access.
The shell achieved persistence either via a malicious systemd service or through startup script modification. Next, Velvet Ant installed a custom SOCKS5 proxy for network traffic tunneling, enabling it to reach internal systems that are not directly accessible from the internet.
Building a Remote Execution Path
The most interesting part of the attack was building a remote execution path into the isolated network. To achieve this, Velvet Ant modified the configuration of a compromised internet-facing Nginx server to proxy specially crafted requests to a compromised backend server.
The backend server's Nginx configuration was also altered to forward requests to a FastCGI process (fcgiwrap) listening on a separate port. The FastCGI wrapper acted as an execution bridge, processing requests and launching a custom binary named ‘uptime.’ The tool established SSH connections to systems within the isolated critical infrastructure network using parameters supplied in HTTP POST requests.
By chaining these modifications, Velvet Ant established a remote-execution path into the segregated environment via simple HTTP requests, with no direct connection to the critical infrastructure network ever required.
Long-term Persistence and Credential Theft
Having established their access into the isolated environment, Velvet Ant shifted focus to long-term persistence and credential theft by targeting Linux Pluggable Authentication Modules (PAM), a set of libraries that let administrators set up methods to authenticate users.
The attackers replaced legitimate ‘pam_unix.so’ modules with backdoored versions that accept hardcoded passwords and harvest user credentials. Sygnia identified nine distinct variants of the malicious PAM module, each compiled in a separate build environment, indicating a well-resourced threat actor.
Consequences and Remediation
Velvet Ant actors also replaced OpenSSH components such as ssh, sshd, and scp with trojanized versions that captured credentials, logged commands entered during SSH sessions, and stored the collected data locally for future retrieval.
Sygnia says that by extending control to the authentication process by modifying the PAM and OpenSSH components, the threat actor had access to credentials as they were used in the target environment and could bypass the authentication flow.
Administrative activity became fully observable: every login; every command executed across compromised hosts. Access was no longer tied to a specific foothold but embedded into the authentication process itself.
Sygnia recommends that defenders treat authentication components such as PAM, OpenSSH, and Windows LSASS as critical security assets and protect them with EDR, file integrity monitoring, hardened privileged access, multi-factor authentication (MFA), and continuous monitoring for unauthorized modifications.
Conclusion and Recommendations
Organizations should plan for offline recovery, which includes strict backups with an adequate schedule for automatically creating snapshots with immutable copies. The restoration process should consider testing the backups and recovery hosts running operating systems that have been validated, along with the recovery scripts.
Security teams should test every layer before attackers do, and consider using breach and attack simulation to test SIEM and EDR rules, to prevent threats from slipping by detection.
Source: BleepingComputer