Makes you wonder how many of these are out there that have not been found?
Github has been turning into malwarehub.
could this be a nation-state attack? since jiat75 spent multiple years developing a fake persona and it seems like a lot of effort was put into this
probably some agent from the country that starts with R, or from that other country that starts with C, or from one of those silly three-letter organizations
What is the name of the software that is affected??
xz is the compromised package, but it in turn compromises ssh authentication
In turn it
compromises ssh authenticationallows remote code execution via system(); if the connecting SSH certificate contains the backdoor key. No user account required. Nothing logged anywhere you’d expect. Full root code execution.There is also a killswitch hard-coded into it, so it doesn’t affect machines of whatever state actor developed it.
It’s pretty clear this is a state actor, targeting a dependency of one of the most widely used system control software on Linux systems. There are likely tens or hundreds of other actors doing the exact same thing. This one was detected purely by chance, as it wasn’t even in the code for ssh.
If people ever wonder how cyber warfare could potentially cause a massive blackout and communications system interruption - this is how.
And the one main issue with FOSS rears its ugly head – freedom of contribution also means freedom of bad contributions.
This happens in close source software too. You just don’t find out about it until it gets bad enough.
I’m genuinely disturbed that a person who was a core developer could just go rogue.
From what I’ve been reading, it sounds like they were malicious from the very beginning. The work to integrate the malware goes back to 2021. https://boehs.org/node/everything-i-know-about-the-xz-backdoor
It’s an extremely sophisticated attack that was hidden very well, and was only accidentally discovered by someone who noticed that rejected SSH connections (eg invalid key or password) were using more CPU power and taking 0.5s longer than they should have. https://mastodon.social/@AndresFreundTec/112180406142695845
From that post, commits set to UTC+0800 and activity between UTC 12-17 indicate that the programmer wasn’t operating from California but from another country starting with C. The name is also another hint.
That could be part of their plan though… Make people think they’re from China when in reality they’re a state-sponsored actor from a different country. Hard to tell at this point. The scary thing is they got very close to sneaking this malware in undetected.
A lot of critical projects are only maintained by one person who may end up burning out, so I’m surprised we haven’t seen more attacks like this. Gain the trust of the maintainer (maybe fix some bugs, reply to some mailing-list posts, etc), take over maintenance, and slowly add some malware one small piece at a time, interspersed with enough legit commits that you become one of the top contributors (and thus people start implicitly trusting you).
Edit: Based on this analysis, they may have been based in a European timezone and just changed their timezone to UTC+8 before committing to Git to make it look like they were in China: https://rheaeve.substack.com/p/xz-backdoor-times-damned-times-and. Their commits were usually between 9 am and 6 pm Eastern European Time, and there are a few commits where the timezone was set to UTC+2 instead of UTC+8.
Except China is one of the countries involved in cyber warfare
Pretty much every country is engaged in cyber warfare to some degree
Heavily, aggressively involved in cyber activities. Previous Chinese attempts were unveiled by similar small gotchas.
Arguably that’s hard to prove, and it could be NK, India, the NSA, etc., but it’s not hard to believe this was part of another stream of attempts. Low ball, give it to the new guy, sorts of stuff.
US fed gov loves redhat for example, and getting into Fedora is how you get into RHEL
Based on this analysis, they may have been based in a European timezone and just changed their timezone to UTC+8 before committing to Git to make it look like they were in China: https://rheaeve.substack.com/p/xz-backdoor-times-damned-times-and. Their commits were usually between 9 am and 6 pm Eastern European Time, and there are a few commits where the timezone was set to UTC+2 instead of UTC+8.
Yeah, what if they go blue next?
(It’s rogue not rouge)
I’m pretty sure you just said the same word twice
Bad title. This is CVE-2024-3094. Run “xz --version” to see if you are affected.
If you are checking out the extent of damage on your system do not use
ldd
to check the links.You can inadvertently executed the exploit this way.
“Run the affected binary to see if you have it”
USE WINDOWS.
No thanks. Lol. How many backdoors exist in Windows because we don’t see the source? And if something is found they’ll probably keep quiet about it. Happy April Fools’ a whole day dedicated to people like you
Lol triggered.
“No you are wrong.” YoU aRe So tRiGgErEd! 🤓
Dumb dumb.
The more times you ad-hom me, the weepier you look.
🤔
if this happened on windows probably no one would have noticed it until a large cyberattack happened, also, using that logic no one should be using CPU’s created after 1995 due to meltdown / spectre
Hahaha irritating isn’t it?
Im not irritated, im saying that your logic is flawed, stop using some software piece due to a vulnerability is at least dumb, every software will have at least one, open source or not, we are humans, we commit errors, example: the SMB vulnerability that allowed the quick spread of WannaCry in 2017, and that was on Windows, and actually we are lucky that this happened on open source software and not in some big corporation privative software, if that was the case, we wouldnt be able to know about the backdoor until a large cyberattack happened