
Last week a catastrophic event was avoided that almost created a powerful backdoor into Linux systems. Let me preface this blog by saying that I am not a cybersecurity professional and that I am going to give my best take on this event, but it will not be perfect. A backdoor was released into a software that compresses files called XZ Utils which is used in nearly all Linux distributions. The potential impact of this backdoor cannot be understated as Linux servers are used for over 95% of the world’s web servers. The most interesting thing about this backdoor in my mind is the amount of time, planning, social engineering, and effort that went into creating it all to be stopped by a man who is incredibly perceptive on miniscule amounts of time for processing being changed.

This backdoor was found by a Microsoft programmer who was doing some testing and noticed slower than usual speeds on SSHD (Secure Shell Daemon), the Linux server-side background process of the Secure Shell protocol. SSH logins were also using too many CPU cycles and causing errors with a debugging tool that he uses. He narrowed down the culprit to be a new update on XZ Utils and did research on his own to find the malware upstream in the XZ Utils repository before posting the vulnerability to a popular cybersecurity site. The backdoor is ranked 10/10 on the CVSS score because of the implication of control over a system and its reach. The script from the Github repository builds and decodes a test file during the library’s build process. The script performs another decode process on another test file into another script then that script extracts an object which is compiled into liblzma (general purpose data compression library). The object replaces a regular function name resolution process and replaces function pointers for OpenSSH. After this, the attacker will have the authenticating client certificate and have full access to the system. Although not everyone uses Linux or SSH, I believe this attack could have been massive on big business or DoD targets specifically network workers for organizations who are remoting into servers.

This attack has been in motion since at least 2021 when the now removed co-participator of the XZ Utils project started posting in the projects Github. Over the years, he slowly gained the trust of the founder and earned the rank of co-participator. He was posting legitimate changes and helping with updates while either he or the group that he was working with organized accounts to post periodically asking for updates. This put pressure on the creator of XZ to update faster and give more control to the main threat actor. Slowly but surely, he added in this backdoor and finally released it. The pressure from the other accounts along with the stress of running a very important piece of software for Linux led to the threat actor gaining more control than he should have had. You can’t blame the creator for giving him this power because of how well the social engineering process was run. A multi-year plan most likely by a hacking organization most likely from a not so friendly state was thwarted by a min-maxing open source developer.

Some people will say that examples like this are reasons why open source is dangerous. These people are not wrong. You must be very careful about who you trust and are willing to let control your programs. On the flip side, this is a 1 in 50,000 example of how a backdoor could be implemented into an otherwise very secure system and it took three years to be implemented. In my mind, this is the perfect example of why open source works well because had this been on proprietary software, the backdoor would have never been found. For every unethical hacker, there are about 30 ethical ones that are willing to help the world to be a better place, or at least help for a price. The backdoor was found very quickly and although it was by chance, I believe it would only be a matter of time before someone else found it as well. There are plenty of attacks that are still on the horizon though, and everyone who wants to keep the world a safe place needs to remain vigilant and aware of the dangers that are in the world like this one.
Comments