Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Supply Chain Security

XZ Utils Backdoor Attack Brings Another Similar Incident to Light

The discovery of the XZ Utils backdoor reminds an F-Droid developer of a similar incident that occurred a few years ago.

Linux Vulnerability: CVE-2024-3094

The recent discovery of the XZ Utils backdoor has reminded a developer of the F-Droid open source Android app repository of a similar incident that occurred a few years ago.

In late March, PostgreSQL maintainer Andres Freund alerted the cybersecurity industry of a backdoor he had discovered in the Liblzma (XZ Utils) data compression library, which is widely used by developers and is present by default in several Linux distributions.

An initial analysis of the backdoor suggested that it enabled SSH authentication bypassing, but further investigation revealed that it enabled remote code execution on vulnerable Linux systems. The vulnerability introduced by the malicious code is tracked as CVE-2024-3094.

While it’s not uncommon for sophisticated threat actors to target open source software in supply chain attacks, this incident stands out because the backdoor appears to be the result of a malicious operation that spanned several years.

In a post on Mastodon, Hans-Christoph Steiner, a maintainer of F-Droid, recalled a similar story from 2020, when an individual attempted to get F-Droid developers to add what later was determined to be a SQL injection vulnerability. That attempt was unsuccessful, but has some similarities to the XZ incident. 

In the F-Droid incident, random accounts attempted to pressure developers into adding the malicious code. 

While some have suggested in response to Steiner’s post that in the F-Droid case the introduction of an SQL injection vulnerability may have been an honest mistake, Steiner disagrees.  

“Because the submitter deleted their account as a response to the review, I think it could be a deliberate attempt to insert the vuln,” Steiner said. “Plus all the attention from random new accounts. If it had been a normal review process, I could see how it could have been an honest mistake. But that scenario also makes it more attractive to the attacker, since making a mistake there is quite plausible, and could serve as an easy cover story.”

Advertisement. Scroll to continue reading.

In the case of XZ Utils, the backdoor appears to have been added by an individual named Jia Tan, aka JiaT75. This might not be a real developer, but a persona created by a sophisticated threat actor. The name is Chinese, but the threat actor might have picked it as a false flag

A timeline of the events created by researcher Russ Cox shows that Jia Tan started making contributions to the XZ Utils project in October 2021. He submitted several harmless patches over the next few months.

By the spring of 2022, Lasse Collin, the main developer of XZ Utils, had added some of Jia Tan’s patches to the project. However, not all of Jia Tan’s patches had made it into XZ Utils and Collin started getting messages pressuring him into merging the patches. The users pressuring Collin were later determined to be likely fake accounts created to increase Jia Tan’s chances of becoming an official maintainer. 

By June 2022, Collin had already hinted at Jia Tan possibly becoming a maintainer and in a message in late-June he described the contributor as “practically a co-maintainer”. Over the next months, Jia Tan made several changes, and in June 2023 he started making modifications that Cox believes were likely in preparation for the backdoor.

The actual backdoor code was added on February 23, 2024, and it was discovered by Freund roughly one month later, before it was widely distributed via Linux distributions and other projects. In this timeframe, the threat actor behind the backdoor made attempts to hurry up the distribution of the malicious code, including through the use of fake accounts.

Collin is conducting an investigation of his own into this incident and has promised to share details in the coming days. 

Dan Lorenc, software supply chain security expert and CEO of Chainguard, has shared some thoughts on the XZ Utils incident. Lorenc warned in a Security Conversations podcast back in 2022 about governments likely having hacking teams focusing on long-term open source software supply chain attacks.

It remains to be seen if other similar incidents — conducted by the same threat actor or others — come to light. 

Related: Watch: Supply Chain and Third Party Risk Summit 2024

Related: Malware Upload Attack Hits PyPI Repository

Related: Cyber Insights 2024: Supply Chain 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Supply Chain Security

Security researchers with NCC Group have documented 11 vulnerabilities impacting Nuki smart lock products, including issues that could allow attackers to open doors.Nuki offers...

Artificial Intelligence

Exposed data includes backup of employees workstations, secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages.

Government

Companies have announced securing billions of dollars in cybersecurity-related contracts with the United States government in 2022.

Supply Chain Security

SBOMs can be used for managing risk and determining vulnerability impact, but it’s very hard to build holistic risk models when the data is...

Application Security

Enterprise communication and collaboration platform Slack has informed customers that hackers have stolen some of its private source code repositories, but claims impact is...