A covert actor spent the prior two years subtly integrating themselves into the core maintenance group of XZ Utils, an open source command-line compressor extensively utilized in Linux operating systems. The infiltrator progressively managed to incorporate a backdoor into the software intended to obstruct SSHD and permit remote code execution through an SSH login certificate. The backdoor was detected just days before its planned launch on numerous Linux systems globally.
The covert actor is hypothesized to be a developer named or using the pseudonym Jian Tan. Several cybersecurity specialists theorize this supply chain attack could potentially be state-funded.
XZ Utils and its associated library liblzma is an open source tool that provides both XZ and LZMA, which are two compression/decompression algorithms extensively used in Unix-centric systems, including Linux systems. XZ Utils is commonly used by numerous operations on those systems for data compression and decompression.
The backdoor discovered in XZ Utils, CVE-2024-3094, was designed to interfere with authentication in SSHD, the OpenSSH server software overseeing SSH connections. The backdoor allows an attacker to remotely execute code via an SSH login certificate. Only versions 5.6.0 and 5.6.1 of XZ Utils are affected by this issue.
On March 29, 2024, Microsoft software engineer Andres Freund reported the discovery of the backdoor. He stumbled upon it when he noticed strange behavior in a Debian sid installation, with SSH logins consuming a notable amount of CPU and Valgrind errors, which led him to investigate further. Freund stated that the discovery of the backdoor in XZ was luck as it was the result of an unlikely series of incidents.
The backdoor insertion seems to have been a long and silent process spanning about two years. In 2021, a developer named Jian Tan, with the username JiaT75, emerged out of nowhere to contribute to the XZ Utils code, which is not uncommon as free software developers often collaborate to update code. Tan has been an active contributor to the XZ project since late 2021, gradually developing trust within the community.
In May 2022, an anonymous user going by the alias Dennis Ens complained on the XZ mailing list about the software update’s inadequacies. Another unknown user, Jigar Kumar, chimed into the discussion twice, urging XZ Utils’ main developer, Lasse Collin, to appoint a new maintainer to the project. Jigar Kumar insisted, “Change won’t occur unless there’s a new maintainer. Why wait until 5.4.0 to switch roles? Why hold back what your repository requires?”
Meanwhile, Collin conveyed that “Jia Tan has provided me with assistance concerning XZ Utils off-list, and he might take on a larger role in the future, at least with XZ Utils. It’s quite apparent that my resources are stretched thin (which is why there’s a backlog of emails awaiting responses), and inevitably, something has to shift in the long run.” (Note that, in Collin’s message, references to Jian Tan are interchanged with Jia, adding to the confusion—Jian’s username is JiaT75.)
In the following months, Tan’s involvement in XZ Utils grew and he eventually became a co-maintainer of the project. In February 2024, Tan was responsible for the commits for versions 5.6.0 and 5.6.1 of XZ Utils, both of which contained the malicious backdoor.
Interestingly, in July 2023, Tan suggested the disabling of ifunc (GNU indirect function) on OSS-Fuzz, a tool designed to identify software vulnerabilities. This was likely done in an attempt to hide the backdoor in XZ once it was released, as this function was utilised to accomplish its purpose.
Several individuals who are responsible for different Linux distributions were approached by the attacker to introduce the compromised versions of XZ Utils into their distributions. Richard WM Jones, RedHat, discussed this situation in a forum: “The apparent author of the backdoor communicated with me over several weeks trying to get xz 5.6.x added to Fedora 40 & 41 due to its ‘great new features’. We even cooperated with him to rectify the Valgrind issue, which as it turns out was triggered by the backdoor he had embedded. We had to work quickly last night to solve the problem after unintentionally breaching the embargo. Having been part of the xz project for two years and added a plethora of binary test files, I would honestly be suspicious of even older versions of xz until verified otherwise”. There was also an attempt to include it in Ubuntu by Tan.
Alongside the sophisticated social engineering outlined in this article, the backdoor is also notably complex in its design.
Microsoft’s senior threat researcher Thomas Roccia designed and published an infographic to show the whole operation leading to CVE-2024-3094 (Figure A).
Figure A
The backdoor is composed of several parts that have been included over multiple commits on the XZ Utils GitHub, described in depth by Freund.
Gynvael Coldwind, managing director of HexArcana Cybersecurity GmbH,a cybersecurity company providing consulting and courses services, wrote in a detailed analysis of the backdoor that “someone put a lot of effort for this to be pretty innocent looking and decently hidden. From binary test files used to store payload, to file carving, substitution ciphers, and an RC4 variant implemented in AWK all done with just standard command line tools. And all this in 3 stages of execution, and with an ‘extension’ system to future-proof things and not have to change the binary test files again.”
DOWNLOAD: Open source quick glossary from TechRepublic Premium
Martin Zugec, technical solutions director at Bitdefender, said in a statement provided to TechRepublic that “this appears to be a meticulously planned, multi-year attack, possibly backed by a state actor. Considering the massive efforts invested and the low prevalence of vulnerable systems we’re seeing, the threat actors responsible must be extremely unhappy right now that their new weapon was discovered before it could be widely deployed.”
Thanks to Freund’s discovery, the attack was stopped before being spread on a wider scale. The cybersecurity company Tenable exposed the following operating systems known to be affected by the XZ backdoor:
In a blog post, Red Hat reported that no versions of Red Hat Enterprise Linux are affected by CVE-2024-3094.
Debian indicated that no stable version of the distribution are affected, and Ubuntu posted that no released versions of Ubuntu were affected.
MacOS homebrew package manager reverted XZ from 5.6.x to 5.4.6, an older yet safe version. Bo Anderson, maintainer and Homebrew technical steering committee member, declared that Homebrew does not “… believe Homebrew’s builds were compromised (the backdoor only applied to deb and rpm builds) but 5.6.x is being treated as no longer trustworthy and as a precaution we are forcing downgrades to 5.4.6.”
More systems might be affected, especially those on which developers compiled the vulnerable versions of XZ. Security company Binarly offers an online detection tool that could be used to test systems to see if they are affected by the XZ backdoor.
The version of XZ should be carefully checked, as versions 5.6.0 and 5.6.1 contain the backdoor. It is advised to revert to a previous known safe version of XZ Utils, such as 5.4.
As previously reported on TechRepublic, software supply chain attacks are increasingly being used by threat actors.
Yet typical software supply chain attacks mostly involve compromising a crucial account in the software development process, and use the account to distribute harmful content to legitimate software, which often gets noticed quite quickly. In the XZ Utils situation, it vastly differs because the threat actor managed to carefully gain the trust of legitimate developers and become one of the tool maintainers, enabling him to gradually implement various vulnerable parts of code into the software undetected.
Software supply chain attacks are not the solely increasing threats; other supply chain attacks based on IT products are also on the rise.
Therefore, companies must ensure that third parties are considered in their attack surface monitoring.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
XZ Utils Supply Chain Attack: A Threat Actor Spent Two Years to Implement a Linux Backdoor
Your email has been sent
ChicagoVPS is your gateway to unparalleled hosting solutions. Our state-of-the-art datacenters and powerful network ensures lightning-fast speeds and uninterrupted connectivity for your websites and applications. Whether you’re a startup looking for scalable resources or an enterprise in need of enterprise-grade hosting, our range of plans and customizable solutions guarantee a perfect fit. Trust in ChicagoVPS to deliver excellence, combining unmatched reliability and top-tier support.
For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@chicagovps.net.
