How Close We Came to a Digital Apocalypse

A backdoor to the internet was thwarted, by accident!

Author

Ayman Elsawah
April 07, 2024

So in case you were on a silent retreat or away on vacation, some shocking news came out last week…

A vulnerability was implanted into a little known Linux library that opened an RCE (Remote Code Exploit) backdoor into any server running SSH. The vulnerability was a long tail attack of at least TWO years in the making. It’s been dubbed the XZ attack based on the library (xz-utils) that was affected.

Yes, you can now say THIS is a sophisticated attack. (I don’t use this term lightly). There were multiple “personalities” at play and this person had to build up a reputation to infiltrate the open source community and add this contribution.

Oh, and the worse part of all, it was discovered by accident due to a slow SSH login by a Microsoft engineer working on the project.

The backdoor works by allowing someone with a specific private key to execute commands from anywhere.

Keep in mind, the vulnerability DID make it into source and was shipped.

However it was detected within a few weeks, and unless you are updating your servers nightly, most people were not affected.

So because organizations are slow to update, we were saved? 🤦🏽

This is part of a class of attack called Supply Chain attacks. It’s not the first time this class of attack, but it’s the first time we know about such an attack at wide scale.

A notable example is the Codecov attack where a CI/CD provider was breached and thus was able to extract secrets and environment variable for customers images and builds. (I remember working on this incident!)

Let’s not forget Solarwinds, and many other supply chain attacks. Also let’s not underestimate nation state attacks like Stuxnet and Operation Aurora.

Some Questions To Ask

  • How many attacks like this exist that we don’t know about?

  • What are we going to do differently?

  • Why are we so shocked about this? It was only a matter of time.

I’ve sifted through a bunch of articles and posts on the topic and left a bookmark of all the links here for you to enjoy.

Original discovery of attack

Attack Timeline

Actual Contribution

FAQ

Deep Dive On The Attack

🔍XZ Detector By Binarly

The tool detects implementation of IFUNC and is based on behavioral analysis.

🧑🏽‍💻Test Out XZ Yourself!

Someone created a honeypot and exploit demo!

Independent Timezone Analysis Of Commits

Based on the activity of the attacker, it seems they worked a 9-6 job and took Holidays as well.

Thanks for reading!

ps. Is there a link you think I should add? Reply back and let me know!

📢 I’m pre-launching by vCISO Training Course and looking for the first 5-10 beta students in the next 10 days. I will be teaching the class live for a heavily discounted price. It’s geared for CISO’s and Security Leaders looking to go out on their own part-time or full-time and save time getting started. Fill out this form here for more info.

Join the conversation

or to participate.