secret backdoor found in open source software (xz situation breakdown)
(www.youtube.com)
Comments (9)
sorted by:
Related posts:
Submission statement: Do people here think this is the work of an intelligence agency?
Hard to hide a backdoor into a piece of open source software. It takes a real brainiac to figure that out.
It was so brilliantly pulled off that I suspect it is government level.
Guessing NSA, but some of these kinds of trojans and 0-days are kept silent until needed. Usually when you do an attack with a vector like this, you can do some analysis afterwards and see exactly where the backdoor is.
I think that they got caught so easily, suggests it just the work of one person.
Nation states usually work in teams, and damn good ones. In fact it was suspected one of these groups have done something like this before.
https://intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/
They also tend to create their own library's and obfuscate and hide it much better by doing that.
The same source contributor, who is the "author" of the XZ backdoor commits has HUNDREDS of commits in multiple software, incl. libarchive which is integrated into Windows 11 (H2/23 builds)
The installed SSH Backdoor is crypto key'd, so only the actor can actually use it (<- exclusive backdoor, this is classic gov actor style)
PenTest/InfoSec people point out: the commits were not widely deployed (attack surface was limited, as caught early ). Even with backdoor installed, most institutions have intrusion detection, and other monitoring, and they don't allow random SSH connections -> this would have been limited attack surface
Whoever pulled this off, played a long game, months in planning and execution, involving also social engineering.
=> Sounds like a precursor scripted event for the coming CYBER-EVENT of 2024, when Internet goes down and billions of devices are affected => all the cry for authoritarian Internet / Digi-ID control.
PS All the build / test cases for most secure FOSS software will be updated to reflect this attack (no binaries, symbol removal, obfuscation, no funny make file additions, etc). This will INCREASE overall the security of FOSS software in the long run, it'll just take some time for the changes into protocols, methods and rules to percolate downstream to projects.
Some sources:
https://research.swtch.com/xz-script
https://cyberplace.social/@GossiTheDog/112202967577254451
https://github.com/R4GN4R0K-SEC/xzbot
https://www.schneier.com/blog/archives/2024/04/xz-utils-backdoor.html
https://www.wired.com/story/xz-backdoor-everything-you-need-to-know/
https://news.ycombinator.com/item?id=39895344
https://www.youtube.com/watch?v=0pT-dWpmwhA&t=1158s
https://www.youtube.com/watch?v=bS9em7Bg0iU
This is exactly what I was looking to talk about here. It would be incredible if the ability to code review free and open-source software mitigated the coming attack!
Cool beans