XZ Utils Backdoor
The cybersecurity world got really lucky last week. An intentionally placed backdoor in XZ Utils, an open-source compression utility, was pretty much accidentally discovered by a Microsoft engineer—weeks before it would have been incorporated into both Debian and Red Hat Linux. From ArsTehnica:
Malicious code added to XZ Utils versions 5.6.0 and 5.6.1 modified the way the software functions. The backdoor manipulated sshd, the executable file used to make remote SSH connections. Anyone in possession of a predetermined encryption key could stash any code of their choice in an SSH login certificate, upload it, and execute it on the backdoored device. No one has actually seen code uploaded, so it’s not known what code the attacker planned to run. In theory, the code could allow for just about anything, including stealing encryption keys or installing malware.
It was an incredibly complex backdoor. Installing it was a multi-year process that seems to have involved social engineering the lone unpaid engineer in charge of the utility. More from ArsTechnica:
In 2021, someone with the username JiaT75 made their first known commit to an open source project. In retrospect, the change to the libarchive project is suspicious, because it replaced the safe_fprint function with a variant that has long been recognized as less secure. No one noticed at the time.
The following year, JiaT75 submitted a patch over the XZ Utils mailing list, and, almost immediately, a never-before-seen participant named Jigar Kumar joined the discussion and argued that Lasse Collin, the longtime maintainer of XZ Utils, hadn’t been updating the software often or fast enough. Kumar, with the support of Dennis Ens and several other people who had never had a presence on the list, pressured Collin to bring on an additional developer to maintain the project.
There’s a lot more. The sophistication of both the exploit and the process to get it into the software project scream nation-state operation. It’s reminiscent of Solar Winds, although (1) it would have been much, much worse, and (2) we got really, really lucky.
I simply don’t believe this was the only attempt to slip a backdoor into a critical piece of Internet software, either closed source or open source. Given how lucky we were to detect this one, I believe this kind of operation has been successful in the past. We simply have to stop building our critical national infrastructure on top of random software libraries managed by lone unpaid distracted—or worse—individuals.
Erdem Memisyazici • April 2, 2024 4:01 PM
I think a better solution is to teach people what mobbing is with tools and examples. How did the developer in question not recognize that these people popping out of nowhere are all of a sudden making demands to control his software?
It’s likely that he thought they were respectful individuals making good points online as they should have been.
Real Questions:
Did GitHub warn him? That is a large company, how did they not know state actors are on their platform and lead them to a honeypot instead?
Could he not sell his access himself without state actor influence just like a large company could sell “we accidentallied that code” sort of commits?
Why I Ask Them:
The article says, “… managed by lone unpaid distracted—or worse—individuals.” but companies who hardcoded admin credentials like Cisco etc. were neither unpaid, distracted, nor worse … individuals.
He has no way of knowing if those are hacked accounts or real people, no access to their IPs, or any sort of confirmation but Github does have some of that data.
Linux distros are stakeholders here but companies like RedHat check the code before getting the latest version of anything in. You hope your distro does the same or good luck going over every commit yourself.
That being said most people know that everything doesn’t need a daily update to be secure (i.e. module with the function ‘fibonacci’ is probably going to stay the same for the next millenium).
This goes for hardware too. Most 90s computers weren’t hit by Spectre and Meltdown.