Linux got wrecked by backdoor attack
Summary
TLDRThe open source community faces a critical security crisis as a sophisticated supply chain attack compromises the XZ compression tool, affecting numerous Linux distributions. The attack, which grants unauthorized code execution via a secret backdoor, is discovered by software engineer Andre Frin. The malicious code, hidden in the liblzma library and requiring the attacker's private key, raises questions about the perpetrator's identity, with suspicions ranging from individual hackers to state-sponsored entities. The incident underscores the importance of vigilance in software security.
Takeaways
- π¨ A sophisticated supply chain attack has affected the XZ compression tool, impacting various Linux distributions like Debian, CentOS, and openSUSE.
- π The attack introduced a secret back door, allowing unauthorized execution of code on affected machines through the XZ utility.
- β οΈ This security breach is considered a Threat Level Midnight 10.0, indicating a critical issue on the CVE RoR scale, surpassing the severity of known bugs like Heartbleed and Shellshock.
- π― The XZ back door relies on the lzma algorithm, which is widely used in Linux distributions and is also a part of the SSH daemon (sshd).
- π€ The liblzma library, which is compromised, is utilized by many software applications for compression functionalities.
- π The malicious code was obfuscated and injected during the build process, modifying the lzma code to enable data interception and manipulation.
- π The back door's payload must be signed with the attacker's private key, ensuring that only the attacker can exploit the vulnerability.
- π‘ The vulnerability was discovered by chance by a software engineer, Andre Frin, who noticed unusual CPU usage while benchmarking on Debian's unstable branch.
- π The potential impact could have been disastrous, given that the majority of internet servers run on Linux.
- π The attacker's identity remains unknown, with suspicions ranging from an individual to a state-sponsored group, possibly from countries like Russia, North Korea, or the United States.
Q & A
What is the main issue discussed in the video?
-The main issue discussed is a highly sophisticated and carefully planned attack affecting the XZ compression tool, which has been shipped to production and compromised various Linux distributions.
How does this attack rank in terms of severity?
-This attack is considered a Threat Level Midnight 10.0 critical issue on the CVE RoR scale, even higher than famous bugs like Heartbleed, Log4Shell, and ShellShock.
Which operating system is mentioned as being unaffected by the XZ back door?
-Temple OS is mentioned as being unaffected by the XZ back door.
What is XY utils and why is it significant in this context?
-XY utils is a tool for compressing and decompressing streams based on the Lempel-Ziv-Markov chain algorithm (LZMA). It contains a command-line tool installed on most Linux distributions by default and an API library called liblzma, which many other pieces of software depend on for compression.
How was the back door discovered?
-The back door was discovered by pure luck when a software engineer named Andre Marinescu was using the unstable branch of Debian to benchmark PostgreSQL. He noticed that SSH logins were using more CPU resources than normal, which led him to investigate and ultimately identify the issue in XY utils.
What is the role of the liblzma library in this security breach?
-The liblzma library, which is part of XY utils, contains the back door. Malicious code was found in the tarballs of liblzma, which is what most people install. The code is obfuscated and injects a pre-built object disguised as a test file during the build process, allowing the attacker to intercept and modify data that interacts with this library.
What is unique about the payload sent to the back door?
-The payload sent to the back door must be signed by the attacker's private key, meaning only the attacker can send a payload to the back door. This makes it more difficult to test, monitor, and adds a layer of protection for the attacker.
Who is suspected of introducing the malicious tarballs?
-A contributor to the liblzma project named 'gian' is suspected of introducing the malicious tarballs. This individual has been a trusted contributor for the last few years and has been building up trust before attempting this back door.
What is the potential impact of this back door on the internet?
-Since the vast majority of servers that power the internet are Linux-based, this back door could have been a major disaster. However, it was discovered early on, which helped to avoid a potential multi-billion dollar disaster.
What is the significance of the name 'Andre Marinescu' in this context?
-Andre Marinescu is the hero software engineer who discovered the back door while using the unstable branch of Debian. His last name translates to 'friend' in German, which is fitting as he single-handedly helped the world avoid a major disaster.
What is the current state of understanding regarding the true identity of the hacker?
-At this point, it is unclear who is behind the attack. It could be an individual, a group of state-sponsored hackers, or even a rogue state like Russia, North Korea, or the United States.
What is the recommended course of action for those using the affected Linux distributions?
-Users of the affected Linux distributions are advised to upgrade their systems immediately to mitigate the risk and potential impact of the XZ back door.
Outlines
π¨ Urgent Security Crisis in the Open Source World
The open source community has been thrown into a state of panic due to a highly sophisticated and meticulously planned attack on the XZ compression tool. This supply chain attack has compromised various Linux distributions, including Debian CI, open Suse, and others. Fortunately, Temple OS remains unaffected. The severity of this issue is unprecedented, surpassing even notorious vulnerabilities like Heartbleed and Shellshock. The video aims to explain the workings of the XZ back door and the remarkable story of its accidental discovery. It is crucial for users of the affected Linux distributions to upgrade their systems immediately, as this back door could have led to a catastrophic event had it not been discovered early.
Mindmap
Keywords
π‘Open Source
π‘Supply Chain Attack
π‘Linux Distros
π‘Back Door
π‘CVE RoR Scale
π‘LZMA
π‘SSH (Secure Shell)
π‘Obfuscation
π‘Private Key
π‘Andre Frin
π‘Lassie Colin
Highlights
The open source world is in panic due to a sophisticated attack on the XZ compression tool.
The attack has compromised Linux distributions like Debian, CI, openSUSE, and others.
Temple OS remains unaffected by this security breach.
This incident is considered one of the most well-executed supply chain attacks in history.
The threat level is rated 10.0 on the CVE RoR scale, higher than famous bugs like Heartbleed and Shellshock.
The XZ back door works by injecting a pre-built object disguised as a test file during build time.
The malicious code modifies the lzma code to intercept and alter data interacting with the library.
The payload sent to the back door must be signed by the attacker's private key, limiting access to the creator.
The attacker obfuscated the code to avoid detection, with no obvious characters and a built-in state machine to recognize important strings.
Linux-based servers, which power the majority of the internet, could have been severely impacted by this back door.
Andre Frin, a software engineer, discovered the issue by accident while benchmarking PostgreSQL on an unstable branch of Debian.
SSH logins were using more CPU resources than normal, which initially led Frin to investigate further.
The liblzma project is maintained by Lassie Colin, but the malicious tarballs were passed by giaan, a trusted contributor.
Giaan, or the group behind this, spent years building trust before implementing the back door without notice.
The true identity of the hacker remains unknown, and it is unclear whether it is an individual or a state-sponsored group.
The attack aimed to exploit the popularity and single maintainer status of XZ, making it a sitting duck.
The discovery by Andre Frin helped the world avoid a potential multi-billion dollar disaster.
The story serves as a reminder of the importance of security in open source software and the potential risks of supply chain attacks.
Transcripts
over the last few days the open source
world has been in panic mode a highly
sophisticated and carefully planned
attack affecting the XZ compression tool
was shipped to production and it's
compromised Linux dros like Debian CI
open Susa and others thank God Temple OS
is unaffected though and it's quite
possibly one of the most well executed
supply chain attacks of all time and
give some random dude unfettered access
to execute code on your machine via a
secret back door this is not your
everyday security vulnerability it's a
Threat Level Midnight 10.0 critical
issue on the cve RoR scale even higher
than famous bugs like heart bleed log
for shell and shell shock in today's
video you'll learn exactly how the XZ
back door works and the incredible story
of how it was discovered by accident it
is April 1st 2024 and you're watching
the code report unfortunately this is
not an April Fool's video If you happen
to be using one of the Linux distros
listed here you'll want to upgrade
immediately luckily it only affects a
very narrow set of dros most of which
are unstable builds but that's only
because this back door was discovered by
pure luck early on more on that in just
a second let's first take a deep dive
into this back door XY utils is a tool
for compressing and decompressing
streams based on the lle ziv Markoff
chain algorithm or lzma it contains a
command line tool that's installed on
most Linux dros by default which you can
use right now with the XZ command but
also contains an API Library called lib
lzma and many other pieces of software
depend on this library to implement
compression one of which is sshd or
secure shell demon a tool that listens
to SSH connection
like when you connect your local machine
to the terminal on a Cloud Server and
now here's where the back door comes in
but keep in mind researchers are still
figuring out exactly how this thing
works malicious code was discovered in
the tarballs of lib lzma which is the
thing that most people actually install
that malicious code is not present in
the source code though it uses a series
of obfuscations to hide the malicious
code then at build time it injects a
pre-built object disguised as a test
file that lives in the source code it
modifies specific parts of the lzma code
which ultimately allows the attach ha ER
to intercept and modify data that
interacts with this Library researchers
have also discovered that any payload
sent to the back door must be signed by
the attacker's private key in other
words the attacker is the only one who
can send a payload to the back door
making it more difficult to test and
monitor and the attacker went to Great
Lengths to obfuscate the code like it
contains no asky characters and instead
has a built-in State machine to
recognize important strings now because
the vast majority of servers that power
the internet are Linux based this back
door could have been a major disaster
luckily though a hero software engineer
named Andre frin was using the unstable
branch of Debian to Benchmark postgress
he noticed something weird that most
people would Overlook SSH logins were
using up more CPU resources than normal
initially he thought it was an issue in
Debian directly but after some
investigation discovered it was actually
Upstream in XY utils and that's really
bad because so many things depend on
this tool in German his last name
translates to friend which is fitting
because he single-handedly helped the
world avoid a multi-billion dollar
disaster but who done it who's the a bad
guy here at this point it's unclear the
lib lzma project is maintained by Lassie
Colin however the malicious tarballs are
assed by giaan a contributor to the
project this individual has been a
trusted contributor for the last few
years but clearly they've been playing
the long game they spent years building
up trust before trying the back door and
nobody even noticed when they made their
move I say they because we don't know if
this is an individual or a penetration
attempt from a rogue State like Russia
North Korea or the United States here's
a non-technical analogy imagine there's
a landlord we'll call him Lassie Colin
who manages a popular apartment building
it's a lot of work but this young
enthusiastic guy has been super helpful
over the last couple years adding all
sorts of upgrades and Renovations let's
call him gatan he does great work but
he's also been secretly installing
cameras in the bathrooms which only he
can access from the internet with his
password now he would have gotten away
with it too if it weren't for a pesky
tenant named andrees who happened to
notice that his electricity bill was
just a little bit higher than usual he
started looking behind the walls and
found some unexpected wies that led
right to the unauthorized cameras at
this point we don't know the true
identity of the hacker but whoever did
this was looking to cast a very wide net
and because it's protected by a secret
key can only be exploited by one party
XZ was a Sitting Duck because it's
extremely popular while also being very
boring with a single maintainer
whoever's behind this is either an
extremely intelligent psychopath or more
likely a group of state sponsored
Dimension hopping lizard people hellbent
on world domination and that's why the
only drro you should use is Temple OS
this has been the code report thanks for
watching watching and I will see you in
the next one
5.0 / 5 (0 votes)
revealing the features of the XZ backdoor
The Linux Hack was an inside jobβ¦
Understanding the Linux Backdoor: Implications for Open Source [When Penguins Cry]
Moscow attack: video captures gunmen storming concert hall and shooting dozens dead | BBC News
Delete Windows Todayβ¦
Abstraction Can Make Your Code Worse