Linux got wrecked by backdoor attack

over the last few days the open source

world has been in panic mode a highly

sophisticated and carefully planned

attack affecting the XZ compression tool

was shipped to production and it's

compromised Linux dros like Debian CI

open Susa and others thank God Temple OS

is unaffected though and it's quite

possibly one of the most well executed

supply chain attacks of all time and

give some random dude unfettered access

to execute code on your machine via a

secret back door this is not your

everyday security vulnerability it's a

Threat Level Midnight 10.0 critical

issue on the cve RoR scale even higher

than famous bugs like heart bleed log

for shell and shell shock in today's

video you'll learn exactly how the XZ

back door works and the incredible story

of how it was discovered by accident it

is April 1st 2024 and you're watching

the code report unfortunately this is

not an April Fool's video If you happen

to be using one of the Linux distros

listed here you'll want to upgrade

immediately luckily it only affects a

very narrow set of dros most of which

are unstable builds but that's only

because this back door was discovered by

pure luck early on more on that in just

a second let's first take a deep dive

into this back door XY utils is a tool

for compressing and decompressing

streams based on the lle ziv Markoff

chain algorithm or lzma it contains a

command line tool that's installed on

most Linux dros by default which you can

use right now with the XZ command but

also contains an API Library called lib

lzma and many other pieces of software

depend on this library to implement

compression one of which is sshd or

secure shell demon a tool that listens

to SSH connection

like when you connect your local machine

to the terminal on a Cloud Server and

now here's where the back door comes in

but keep in mind researchers are still

figuring out exactly how this thing

works malicious code was discovered in

the tarballs of lib lzma which is the

thing that most people actually install

that malicious code is not present in

the source code though it uses a series

of obfuscations to hide the malicious

code then at build time it injects a

pre-built object disguised as a test

file that lives in the source code it

modifies specific parts of the lzma code

which ultimately allows the attach ha ER

to intercept and modify data that

interacts with this Library researchers

have also discovered that any payload

sent to the back door must be signed by

the attacker's private key in other

words the attacker is the only one who

can send a payload to the back door

making it more difficult to test and

monitor and the attacker went to Great

Lengths to obfuscate the code like it

contains no asky characters and instead

has a built-in State machine to

recognize important strings now because

the vast majority of servers that power

the internet are Linux based this back

door could have been a major disaster

luckily though a hero software engineer

named Andre frin was using the unstable

branch of Debian to Benchmark postgress

he noticed something weird that most

people would Overlook SSH logins were

using up more CPU resources than normal

initially he thought it was an issue in

Debian directly but after some

investigation discovered it was actually

Upstream in XY utils and that's really

bad because so many things depend on

this tool in German his last name

translates to friend which is fitting

because he single-handedly helped the

world avoid a multi-billion dollar

disaster but who done it who's the a bad

guy here at this point it's unclear the

lib lzma project is maintained by Lassie

Colin however the malicious tarballs are

assed by giaan a contributor to the

project this individual has been a

trusted contributor for the last few

years but clearly they've been playing

the long game they spent years building

up trust before trying the back door and

nobody even noticed when they made their

move I say they because we don't know if

this is an individual or a penetration

attempt from a rogue State like Russia

North Korea or the United States here's

a non-technical analogy imagine there's

a landlord we'll call him Lassie Colin

who manages a popular apartment building

it's a lot of work but this young

enthusiastic guy has been super helpful

over the last couple years adding all

sorts of upgrades and Renovations let's

call him gatan he does great work but

he's also been secretly installing

cameras in the bathrooms which only he

can access from the internet with his

password now he would have gotten away

with it too if it weren't for a pesky

tenant named andrees who happened to

notice that his electricity bill was

just a little bit higher than usual he

started looking behind the walls and

found some unexpected wies that led

right to the unauthorized cameras at

this point we don't know the true

identity of the hacker but whoever did

this was looking to cast a very wide net

and because it's protected by a secret

key can only be exploited by one party

XZ was a Sitting Duck because it's

extremely popular while also being very

boring with a single maintainer

whoever's behind this is either an

extremely intelligent psychopath or more

likely a group of state sponsored

Dimension hopping lizard people hellbent

on world domination and that's why the

only drro you should use is Temple OS

this has been the code report thanks for

watching watching and I will see you in

the next one