The recent discovery of the XZ Utils backdoor has reminded a developer of the F-Droid open source Android app repository of a similar incident that occurred a few years ago.
In late March, PostgreSQL maintainer Andres Freund alerted the cybersecurity industry of a backdoor he had discovered in the Liblzma (XZ Utils) data compression library, which is widely used by developers and is present by default in several Linux distributions.
An initial analysis of the backdoor suggested that it enabled SSH authentication bypassing, but further investigation revealed that it enabled remote code execution on vulnerable Linux systems. The vulnerability introduced by the malicious code is tracked as CVE-2024-3094.
While it’s not uncommon for sophisticated threat actors to target open source software in supply chain attacks, this incident stands out because the backdoor appears to be the result of a malicious operation that spanned several years.
In a post on Mastodon, Hans-Christoph Steiner, a maintainer of F-Droid, recalled a similar story from 2020, when an individual attempted to get F-Droid developers to add what later was determined to be a SQL injection vulnerability. That attempt was unsuccessful, but has some similarities to the XZ incident.
In the F-Droid incident, random accounts attempted to pressure developers into adding the malicious code.
While some have suggested in response to Steiner’s post that in the F-Droid case the introduction of an SQL injection vulnerability may have been an honest mistake, Steiner disagrees.
“Because the submitter deleted their account as a response to the review, I think it could be a deliberate attempt to insert the vuln,” Steiner said. “Plus all the attention from random new accounts. If it had been a normal review process, I could see how it could have been an honest mistake. But that scenario also makes it more attractive to the attacker, since making a mistake there is quite plausible, and could serve as an easy cover story.”
In the case of XZ Utils, the backdoor appears to have been added by an individual named Jia Tan, aka JiaT75. This might not be a real developer, but a persona created by a sophisticated threat actor. The name is Chinese, but the threat actor might have picked it as a false flag.
A timeline of the events created by researcher Russ Cox shows that Jia Tan started making contributions to the XZ Utils project in October 2021. He submitted several harmless patches over the next few months.
By the spring of 2022, Lasse Collin, the main developer of XZ Utils, had added some of Jia Tan’s patches to the project. However, not all of Jia Tan’s patches had made it into XZ Utils and Collin started getting messages pressuring him into merging the patches. The users pressuring Collin were later determined to be likely fake accounts created to increase Jia Tan’s chances of becoming an official maintainer.
By June 2022, Collin had already hinted at Jia Tan possibly becoming a maintainer and in a message in late-June he described the contributor as “practically a co-maintainer”. Over the next months, Jia Tan made several changes, and in June 2023 he started making modifications that Cox believes were likely in preparation for the backdoor.
The actual backdoor code was added on February 23, 2024, and it was discovered by Freund roughly one month later, before it was widely distributed via Linux distributions and other projects. In this timeframe, the threat actor behind the backdoor made attempts to hurry up the distribution of the malicious code, including through the use of fake accounts.
Collin is conducting an investigation of his own into this incident and has promised to share details in the coming days.
Dan Lorenc, software supply chain security expert and CEO of Chainguard, has shared some thoughts on the XZ Utils incident. Lorenc warned in a Security Conversations podcast back in 2022 about governments likely having hacking teams focusing on long-term open source software supply chain attacks.
It remains to be seen if other similar incidents — conducted by the same threat actor or others — come to light.
Related: Watch: Supply Chain and Third Party Risk Summit 2024
Related: Malware Upload Attack Hits PyPI Repository
Related: Cyber Insights 2024: Supply Chain
