At the end of September 2018, the CrowdStrike® Falcon OverWatch™ team identified suspicious interactive activity on a Linux host within a customer’s network infrastructure.  An unknown actor accessed a secure shell (SSH) server through the use of valid credentials, previously obtained via unknown means. Once the actor was on the system, they elevated their privileges via the CVE-2016-5195Linux kernel exploit (also known as “Dirty Cow”), and modified several key functions within both the SSH client and the SSH daemon (SSHD).

https://www.crowdstrike.com/blog/adversary-extends-persistence-by-modifying-system-binaries/