Linux got wrecked by backdoor attack
Summary
TLDR近期,开源界因一起针对XZ压缩工具的复杂攻击而陷入恐慌。这次攻击影响了多个Linux发行版,如Debian CI和openSusa,幸运的是,Temple OS未受影响。攻击者通过后门在用户机器上执行代码,这是一次严重的供应链攻击。研究人员仍在解析攻击细节,但已知恶意代码通过liblzma库注入。幸运的是,软件工程师Andre Frin偶然发现了这一问题,避免了可能的数十亿美元损失。目前,攻击者身份不明,可能是个人或国家支持的黑客集团。
Takeaways
- 🚨 最近开源界因一起针对XZ压缩工具的复杂攻击而陷入恐慌,该攻击影响了一些Linux发行版,如Debian CI、openSUSE等。
- 🌟 Temple OS未受影响,可能是这次供应链攻击中唯一幸免的操作系统。
- 🔒 该攻击被认为是有史以来最精心策划的供应链攻击之一,通过秘密后门让攻击者能够无限制地在受影响的机器上执行代码。
- 📈 该安全漏洞的威胁等级被评为10.0,甚至高于著名的Heartbleed和Shellshock漏洞。
- 🔍 XZ工具基于LZMA算法,包含命令行工具和API库liblzma,广泛安装于Linux系统中。
- 🛠️ 恶意代码隐藏在liblzma的tarball中,通过一系列混淆手段在构建时注入预构建对象。
- 🔑 任何发送到后门的有效载荷都必须由攻击者的私钥签名,这意味着只有攻击者才能发送有效载荷。
- 🤔 目前尚不清楚攻击者的真实身份,可能是个人或国家支持的黑客组织。
- 👨💻 一位名叫Andre Marin的安全工程师在使用Debian不稳定分支时意外发现了这一问题,帮助世界避免了可能的数十亿美元损失。
- 🧐 攻击者可能在长时间内积累信任后,才实施了这次攻击,目前尚不清楚攻击的真正动机和目的。
Q & A
最近开源界发生的安全事件是什么?
-最近开源界发生的安全事件是一次针对XZ压缩工具的精心策划的攻击,该攻击已经被分发到生产环境,影响了Debian CI、open Susa等Linux发行版。
这次安全事件的严重性如何?
-这次安全事件的严重性非常高,被认为是有史以来执行得最好的供应链攻击之一,其威胁等级达到了午夜危机10.0级别,甚至高于著名的Heartbleed、Log for Shell和Shell Shock等漏洞。
受影响的Linux发行版有哪些?
-受影响的Linux发行版主要包括Debian CI、open Susa等,但幸运的是,Temple OS并未受到影响。
XZ压缩工具的作用是什么?
-XZ压缩工具是一个基于LZMA算法的压缩和解压缩流的工具,它包含一个命令行工具和API库liblzma,许多其他软件依赖这个库来实现压缩功能。
SSHD与XZ压缩工具有什么关系?
-SSHD(Secure Shell Daemon)是一个监听SSH连接的工具,它依赖于XZ压缩工具中的liblzma库来实现压缩功能。
恶意代码是如何被隐藏和注入的?
-恶意代码通过一系列混淆手段隐藏在liblzma的tarballs中,它不在源代码中,而是在构建时注入一个伪装成测试文件的预构建对象,修改lzma代码的特定部分,从而允许攻击者拦截和修改与该库交互的数据。
攻击者如何确保只有他们能发送有效负载到后门?
-攻击者通过要求任何发送到后门的有效负载都必须用攻击者的私钥签名来确保只有他们能发送有效负载,这使得测试、监控变得更加困难。
这次安全事件是如何被发现的?
-这次安全事件是由一位名叫Andre Frin的软件工程师偶然发现的。他在使用Debian的不稳定分支进行Postgres基准测试时,注意到SSH登录比正常情况下消耗更多的CPU资源,经过调查,他发现问题实际上出在上游的XY utils中。
目前对这次攻击的幕后黑手有何了解?
-目前尚不清楚这次攻击的幕后黑手是谁。liblzma项目由Lassie Colin维护,但恶意tarballs是由项目的贡献者giaan签名的。giaan在过去几年中一直是值得信赖的贡献者,但显然他们在建立信任后尝试了这次后门攻击。我们不知道这是个人行为还是有国家支持的渗透尝试。
XZ压缩工具的维护者和贡献者有哪些特点?
-XZ压缩工具的维护者是Lassie Colin,而贡献者giaan在过去几年中表现出了极大的热情和帮助,但这次事件表明,他们可能在长期建立信任后进行了这次攻击。
这次安全事件对互联网的影响有多大?
-由于大多数互联网服务器基于Linux,这次后门攻击可能会造成重大灾难。但由于Andre Frin的发现,这个问题在早期就被注意到了,从而避免了可能的多亿美元级别的灾难。
为什么推荐使用Temple OS?
-推荐使用Temple OS是因为这次安全事件并没有影响到它,而且它的安全性得到了保证。
Outlines
🚨 Linux 系统安全危机:XZ 压缩工具后门事件
近期,开源世界面临一场精心策划的高级别安全攻击,影响了 XZ 压缩工具,导致多个 Linux 发行版如 Debian CI、open Susa 等受到威胁。幸运的是,Temple OS 未受影响。此次攻击被认为是供应链攻击的典型案例,其严重程度在 CVE RoR 规模上甚至超过了著名的 Heartbleed 和 Shellshock 漏洞。视频将详细介绍 XZ 后门的工作原理以及它是如何被偶然发现的。目前,仅影响少数不稳定版本的 Linux 系统,但鉴于大多数互联网服务器基于 Linux,这一后门本可能导致灾难性后果。幸运的是,软件工程师 Andre Frin 在使用 Debian 不稳定分支时偶然发现了异常,从而帮助世界避免了巨大的经济损失。目前尚不清楚攻击者的身份,可能是个人或国家支持的黑客集团。
Mindmap
Keywords
💡开源世界
💡XZ压缩工具
💡Linux发行版
💡供应链攻击
💡秘密后门
💡恶意代码
💡SSH
💡Andre Frin
💡Lassie Colin
💡国家支持的黑客
💡Temple OS
Highlights
开源世界近日陷入恐慌,因为一次高度复杂且精心策划的攻击影响了XZ压缩工具。
受影响的Linux发行版包括Debian CI、openSUSE等,但幸运的是,Temple OS不受影响。
这次攻击可能是有史以来执行最完美的供应链攻击之一,给攻击者提供了通过秘密后门在机器上执行代码的无限制访问权限。
这不是普通的安全漏洞,而是cveRoR规模上的威胁等级午夜10.0关键问题,甚至高于著名的Heartbleed、Log4Shell和Shellshock。
XZ后门的工作原理和它是如何被偶然发现的惊人故事将在今天的视频中详细介绍。
尽管今天是2024年4月1日,这并非愚人节视频,情况非常严重。
XZ utils是一个基于LZMA算法的压缩和解压缩流的工具,包含大多数Linux发行版默认安装的命令行工具。
liblzma库被许多其他软件依赖以实现压缩功能,包括SSH守护进程。
恶意代码被发现在liblzma的tarball中,但在源代码中并不存在,它使用一系列混淆技术隐藏恶意代码。
在构建时,它会注入一个伪装成测试文件的预构建对象,修改lzma代码的特定部分,允许攻击者拦截和修改与该库交互的数据。
研究人员还发现,发送到后门的任何有效载荷都必须由攻击者的私钥签名,这意味着只有攻击者可以发送有效载荷到后门。
攻击者费尽心思混淆代码,例如代码中没有明显的字符,而是内置了一个状态机来识别重要字符串。
由于大多数基于Linux的服务器支撑着互联网,这个后门本可能引发重大灾难。
幸运的是,一位名叫Andre Mars的软件工程师在使用Debian不稳定分支进行Postgres基准测试时,偶然发现了异常。
他注意到SSH登录比正常情况下消耗更多的CPU资源,这最终导致他发现问题出在上游的XZ utils中。
目前尚不清楚是谁制造了这个后门,liblzma项目由Lassie Colin维护,但恶意tarball是由项目贡献者Giaan签名的。
Giaan是项目过去几年中值得信赖的贡献者,但显然他们在建立信任后尝试了后门,而没有人注意到。
我们不知道黑客的真实身份,可能是个人或者像俄罗斯、朝鲜或美国这样的流氓国家的渗透尝试。
由于XZ工具非常流行且维护者单一,它成为了易受攻击的目标。
这次攻击旨在撒下大网,由于受到秘密密钥的保护,只能由一方利用,使得XZ成为了一个容易受到攻击的目标。
唯一应该使用的操作系统是Temple OS,这是本期代码报告的结束,感谢观看。
Transcripts
over the last few days the open source
world has been in panic mode a highly
sophisticated and carefully planned
attack affecting the XZ compression tool
was shipped to production and it's
compromised Linux dros like Debian CI
open Susa and others thank God Temple OS
is unaffected though and it's quite
possibly one of the most well executed
supply chain attacks of all time and
give some random dude unfettered access
to execute code on your machine via a
secret back door this is not your
everyday security vulnerability it's a
Threat Level Midnight 10.0 critical
issue on the cve RoR scale even higher
than famous bugs like heart bleed log
for shell and shell shock in today's
video you'll learn exactly how the XZ
back door works and the incredible story
of how it was discovered by accident it
is April 1st 2024 and you're watching
the code report unfortunately this is
not an April Fool's video If you happen
to be using one of the Linux distros
listed here you'll want to upgrade
immediately luckily it only affects a
very narrow set of dros most of which
are unstable builds but that's only
because this back door was discovered by
pure luck early on more on that in just
a second let's first take a deep dive
into this back door XY utils is a tool
for compressing and decompressing
streams based on the lle ziv Markoff
chain algorithm or lzma it contains a
command line tool that's installed on
most Linux dros by default which you can
use right now with the XZ command but
also contains an API Library called lib
lzma and many other pieces of software
depend on this library to implement
compression one of which is sshd or
secure shell demon a tool that listens
to SSH connection
like when you connect your local machine
to the terminal on a Cloud Server and
now here's where the back door comes in
but keep in mind researchers are still
figuring out exactly how this thing
works malicious code was discovered in
the tarballs of lib lzma which is the
thing that most people actually install
that malicious code is not present in
the source code though it uses a series
of obfuscations to hide the malicious
code then at build time it injects a
pre-built object disguised as a test
file that lives in the source code it
modifies specific parts of the lzma code
which ultimately allows the attach ha ER
to intercept and modify data that
interacts with this Library researchers
have also discovered that any payload
sent to the back door must be signed by
the attacker's private key in other
words the attacker is the only one who
can send a payload to the back door
making it more difficult to test and
monitor and the attacker went to Great
Lengths to obfuscate the code like it
contains no asky characters and instead
has a built-in State machine to
recognize important strings now because
the vast majority of servers that power
the internet are Linux based this back
door could have been a major disaster
luckily though a hero software engineer
named Andre frin was using the unstable
branch of Debian to Benchmark postgress
he noticed something weird that most
people would Overlook SSH logins were
using up more CPU resources than normal
initially he thought it was an issue in
Debian directly but after some
investigation discovered it was actually
Upstream in XY utils and that's really
bad because so many things depend on
this tool in German his last name
translates to friend which is fitting
because he single-handedly helped the
world avoid a multi-billion dollar
disaster but who done it who's the a bad
guy here at this point it's unclear the
lib lzma project is maintained by Lassie
Colin however the malicious tarballs are
assed by giaan a contributor to the
project this individual has been a
trusted contributor for the last few
years but clearly they've been playing
the long game they spent years building
up trust before trying the back door and
nobody even noticed when they made their
move I say they because we don't know if
this is an individual or a penetration
attempt from a rogue State like Russia
North Korea or the United States here's
a non-technical analogy imagine there's
a landlord we'll call him Lassie Colin
who manages a popular apartment building
it's a lot of work but this young
enthusiastic guy has been super helpful
over the last couple years adding all
sorts of upgrades and Renovations let's
call him gatan he does great work but
he's also been secretly installing
cameras in the bathrooms which only he
can access from the internet with his
password now he would have gotten away
with it too if it weren't for a pesky
tenant named andrees who happened to
notice that his electricity bill was
just a little bit higher than usual he
started looking behind the walls and
found some unexpected wies that led
right to the unauthorized cameras at
this point we don't know the true
identity of the hacker but whoever did
this was looking to cast a very wide net
and because it's protected by a secret
key can only be exploited by one party
XZ was a Sitting Duck because it's
extremely popular while also being very
boring with a single maintainer
whoever's behind this is either an
extremely intelligent psychopath or more
likely a group of state sponsored
Dimension hopping lizard people hellbent
on world domination and that's why the
only drro you should use is Temple OS
this has been the code report thanks for
watching watching and I will see you in
the next one
5.0 / 5 (0 votes)
Understanding the Linux Backdoor: Implications for Open Source [When Penguins Cry]
The State of Cybersecurity – Year in Review
revealing the features of the XZ backdoor
From GhostNet to PseudoManuscrypt - The evolution of Gh0st RAT - Jorge Rodriguez; Souhail Hammou
When you Accidentally Compromise every CPU on Earth
SharpTongue pwning your foreign policy, one interview request at a time - Tom Lancaster (Volexity)