Tech | Visa | Scholarship/School | Info Place

Threat actors spent two years implementing Linux backdoor

Over the past two years, a threat actor has quietly integrated himself into the core maintenance team of XZ Utils, a free software command-line data compressor widely used on Linux systems. The attackers slowly integrated a backdoor into the software that was designed to interfere with SSHD and allow remote code execution via SSH login credentials. The backdoor was discovered days before it was released on multiple Linux systems around the world.

The threat actor is suspected to be a developer named “Jian Tan”. Several security experts believe the supply chain attack may have been state-sponsored.

What are XZ Utils and what are XZ backdoors?

XZ Utils and its underlying library liblzma are a free software tool that implements XZ and LZMA, two compression/decompression algorithms widely used in Unix-based systems (including Linux systems). Many operations on these systems use XZ Utils to compress and decompress data.

The CVE-2024-3094 backdoor discovered in XZ Utils is designed to interfere with authentication in SSHD, the OpenSSH server software that handles SSH connections. This backdoor enables an attacker to execute remote code via SSH login credentials. Only XZ Utils versions 5.6.0 and 5.6.1 are affected.

How the XZ backdoor was discreetly implemented over the years

On March 29, 2024, Microsoft software engineer Andres Freund reported the discovery of the backdoor. He discovered this when he became interested in strange behavior of Debian sid installations, such as SSH logins taking up a lot of CPU and Valgrind errors, and decided to analyze the symptoms in depth. Freund explained that finding the backdoor in XZ was a matter of luck, as it “really required a lot of coincidences.”

However, the implementation of the backdoor appears to have been a very quiet process, taking about two years. In 2021, a developer named Jian Tan (username JiaT75) suddenly appeared and started developing the XZ Utils code, which is not uncommon because developers of free software often update the code together. Since the end of 2021, Tan has frequently contributed to the XZ project, slowly building the trust of the community.

In May 2022, an unknown user with the pseudonym Dennis Ens complained on the XZ mailing list about unsatisfactory software updates. Another unknown user, Jigar Kumar, participated in the discussion twice, pressuring Lasse Collin, the lead developer of XZ Utils, to add maintainers to the project. “No progress will be made unless there are new maintainers,” Jigar Kumar wrote. “Why wait until 5.4.0 to change maintainers? Why delay your repo needs?”

Meanwhile, Collin stated that “Jatan helped me get off the ground in XZ Utils, and at least in the future he will probably play a bigger role in XZ Utils. It’s clear that my resources are too limited (hence the many emails waiting to be answered ), so something has to change in the long run.” (Collin wrote Jia in his message, while other messages mentioned jian. To add to the confusion, Jian’s nickname is JiaT75.)

Over the next few months, Tan became increasingly involved in XZ Utils and became a co-maintainer of the project. In February 2024, Tan released commits for versions 5.6.0 and 5.6.1 of XZ Utils, both of which contained backdoors.

It is worth noting that in July 2023, Tan requested to disable ifunc (GNU indirect function) on oss-fuzz, a public tool used to detect software vulnerabilities. This operation may be an attempt to allow the backdoor in XZ to remain undetected after release, as the backdoor exploits this functionality to achieve its goals.

Finally, the attackers contacted several people responsible for different Linux distributions and asked them to include backdoor versions of XZ Utils in their own distributions. Richard WM Jones from RedHat wrote on the forum: “Very annoying – the apparent author of the backdoor has been communicating with me for weeks trying to add xz 5.6.x to Fedora 40 and 41 because it has ‘great new features’ ‘ ‘. We even worked with him on a valgrind issue (which now turns out to be caused by a backdoor he added). We had to step up our efforts last night to fix the problem after an inadvertent embargo violation. He has been involved with the xz project for two years Various binary test files have been added, and to be honest, for this level of complexity, I would even be skeptical of older versions of xz until proven otherwise.” Tan is also trying to include it in Ubuntu.

XZ Backdoor: A highly technical attack

In addition to the highly sophisticated social engineering described earlier in this article, the backdoor itself is also very complex.

Microsoft Senior Threat Researcher Infographic designed and published by Thomas Roccia Show the entire operation leading to CVE-2024-3094 (Figure A).

Figure A

Infographic showing the entire CVE-2024-3094 operation.
The entire CVE-2024-3094 operation.Image: Thomas Rossia

The backdoor consists of several parts that have been included in multiple commits on the XZ Utils GitHub and are described in depth by Freund.

In a detailed analysis of the backdoor, Gynvael Coldwind, managing director of HexArcana Cybersecurity GmbH, a cybersecurity company that provides consulting and course services, wrote, “Someone put a lot of effort into making it look innocent and well hidden. From binary test files for storing payloads, to file carving, replacement ciphers and RC4 variants implemented in AWK, all can be done using just standard command line tools. All in 3 execution stages Done, and have a future-proof “extended” system without having to change the binary test files again.”

Download: TechRepublic Premium’s quick glossary of open source terms

Martin Zugec, director of technical solutions at Bitdefender, said in a statement provided to TechRepublic, “This appears to be a well-planned, multi-year attack that may have been supported by nation-state actors. Considering the significant effort we put in and the With the low prevalence of vulnerable systems seen, the threat actors responsible must now be very unhappy that their new weapons were discovered before they could be widely deployed.”

Which operating systems are affected by the XZ backdoor?

Thanks to Freund’s discovery, the attack was stopped before it could spread more widely. Cybersecurity company Tenable disclosed the following operating systems known to be affected by the XZ backdoor:

  • Fedora Ravid.
  • Fedora 40 beta.
  • Fedora41.
  • Debian testing, unstable and experimental distribution versions 5.5.1alpha-01 to 5.6.1-1.
  • openSUSE Tumbleweed.
  • openSUSE MicroOS.
  • KaliLinux.
  • Arch Linux.

Red Hat reported in a blog post that all versions of Red Hat Enterprise Linux are not affected by CVE-2024-3094.

Debian said that the stable version of the distribution was not affected, and Ubuntu said that the Ubuntu distribution was not affected.

The MacOS homebrew package manager reverts XZ from 5.6.x to 5.4.6, an older but secure version. Bo Anderson, maintainer and Homebrew Technical Steering Committee member, declares that Homebrew does not “…believe that Homebrew builds are compromised (the backdoor only applies to deb and rpm builds), but 5.6.x is deemed no longer trustworthy, as As a precaution, we are enforcing a downgrade to 5.4.6.”

How to mitigate and prevent this XZ backdoor threat

More systems may be affected, especially those where developers compiled vulnerable versions of XZ. Security company Binarly offers an online detection tool that can be used to test systems to see if they are affected by the XZ backdoor.

The version of XZ should be carefully checked, versions 5.6.0 and 5.6.1 contain backdoors. It is recommended to revert to a previously known safe version of XZ Utils, such as 5.4.

Software supply chain attacks are on the rise

As TechRepublic has previously reported, threat actors are increasingly using software supply chain attacks.

However, most common software supply chain attacks manage to compromise a key account during the software development process and use that account to push malicious content into legitimate software. These attacks are usually quickly detected. In the case of of different vulnerable parts are pushed into the software.

Software supply chain attacks are not the only growing threat; other IT product-based supply chain attacks are also on the rise.

Therefore, companies should ensure that third parties are considered in attack surface monitoring.

Disclosure: I work for Trend Micro, but the opinions expressed in this article are mine.

#Threat #actors #spent #years #implementing #Linux #backdoor

Leave a Reply

Your email address will not be published. Required fields are marked *