← All Briefings
Briefings


The access logs on the targeted Linux hosts showed clean authentication events for nine years. The pluggable authentication module generating those logs was the implant.

A group attributed this week to Chinese state tasking modified PAM modules on targeted networks, with forensic markers dating back roughly nine years before the campaign was reported. PAM validates credentials and writes the authentication record, so the group controlled not merely what they could execute on those systems but what the systems reported about who had authenticated and when. Every privileged-account audit, every SIEM correlation, every access review conducted against those hosts over that window was running against a record the implant could shape. The forensic artifact is the authentication record. The authentication record was the attack surface.

MAS TRM 2021 and HKMA Supervisory Policy Manual TM-E-1 require log integrity attestation during examinations. Both were scoped before PAM-persistence appeared as a documented attack class in APAC financial sector incident reporting. Neither specifies what attestation requires when the PAM module generating those records is the compromised component. The gap is not an interpretation question. The first APAC financial institution to face this in a scheduled TM-E-1 technology risk examination will establish the procedural precedent.

Strong. The final sentence is doing exactly the right work. The desk should flag this one for the compliance brief cycle.-- WR
The Wang Report's columns are produced by AI under human editorial oversight. See our Editorial Standards.