DEV Community

Patrick Henry
Patrick Henry

Posted on

The XZ Utils Backdoor: A Cautionary Tail with High Stakes

What is a Supply Chain Attack

We've all seen the movies where we see a hacker in a dark room who hacking away at a mainframe(what even is a "mainframe"). It's the troupe that prevails to this day. And that is why hackers aren't that. Those are the people that we watch out most for. Now attacks are becoming more sophisticated. The XZ Utils Backdoor is a prime example of the other attacks.

First What is XZ Utils....

  • "It is an Open-Source Compression library used in many Linux Distributions that allows for XZ Utils can compress and decompress the xz and lzma file formats. Since the LZMA format has been considered legacy,[2] XZ Utils by default compresses to xz. --Wikipedia
  • In most cases, xz achieves higher compression rates than alternatives like gzip and bzip2. Decompression speed is higher than bzip2, but lower than gzip. Compression can be much slower than gzip, and is slower than bzip2 for high levels of compression, and is most useful when a compressed file will be used many times. " -- Wikipedia Used to compress certain file formats, highly efficient, GitHub repo included into Linux distros and favored for how small files can be compressed into. It is run by a solo developer like many open-source projects. It is often that utilities like this are maintained by one person. It is cool that the open-source community can have individual people run full projects like this. But, don't get it twisted it is HARD WORK. Especially when so many rely on this technology. You want to fight to implement new features and like how the reality of software is. SOMETHING WILL BREAK... Always.

So the maintainer( Lassie Collin) of XZ Utils wanting to produce a good project worked on this outside of his regular job(we assume this because you don't get paid for maintaining projects like this). So you can imagine the amount of work it is and working this hard can lead to burnout. So in comes the hacker. He started getting involved in 2022 and was a truly helpful developer to solve bugs, implement new features, etc. The Hacker(Jia Tan) worked hard to help out and it seemed to gain the maintainer's trust. It seems the Hacker was more sophisticated in the Hacking than we've seen before as some people online started complaining that features were not being updated as the maintainer "no longer cared about the project." This caused Lassie Colling to respond and in the thread, it gets quite said as the maintainer is berated and Lassie tries to de-escalate the situation, at the same time mentioning that Jia Tan has been helping and maybe helping more in the later future. Some suspect that this was the Hacker making issues to burn out Lassie Colling. It works... Jia Tan is made a co-maintainer and soon helping out a lot with the project.

It seems Jia was still patient in the hack as he slowly disables ifunc(07-08-2022) which helps with finding malicious changes. Then in March of 2024, Jia gets ready to release the backdoor as he puts a binary backdoor into the testfiles of xz utils. This change affects 5.6 and 5.6.1. of XZ utils. This attack was only used when a computer used when SSH was used. The hacker wanted to hide these files as it was pushed to dev as binary and also git ignored from the src. The backdoor wasn't in for more than a month when a Microsoft engineer and gotten rid of it. He looked into it when he noticed his SSH connections were taking significantly more CPU resources than usual and he looked it.

How did the backdoor work

Well, it is a wonder how can a compression library take over SSH and that is answered by the fact that individual distributions of software can ask for a dependency like xz utils, and xz utils in turn has access to systemd which is something that contains a lot of information about your computer. According to Wired the backdoor, 'allows someone with the right private key to hijack sshd, the executable file responsible for making SSH connections, and from there to execute malicious commands. The backdoor is implemented through a five-stage loader that uses a series of simple but clever techniques to hide itself. It also provides the means for new payloads to be delivered without major changes being required.'

This exploit is so sophisticated on the coding and social engineering side that it is thought that it could be a malicious state action or even a threat actor ransomware software. This threat needs to be taken seriously because we got lucky that software like this ran undetected and possibly could have for a long time. allows someone with the right private key to hijack sshd, the executable file responsible for making SSH connections, and from there to execute malicious commands. The backdoor is implemented through a five-stage loader that uses a series of simple but clever techniques to hide itself. It also provides the means for new payloads to be delivered without major changes being required.

The threat actors started contributing to the XZ project almost two years ago, slowly building credibility until they were given maintainer responsibilities. Such long-term operations are usually the realm of state-sponsored threat actors, but specific attribution does not currently exist.

In conclusion

The XZ Utils backdoor incident underscores a critical vulnerability in the open-source software ecosystem: reliance on small, often solo, development teams for widely used utilities can lead to significant security risks. This particular case illustrates how a well-integrated hacker can exploit trust and goodwill within the community to execute a sophisticated supply chain attack. By gaining the trust of the main maintainer and gradually increasing their involvement, the hacker managed to embed a malicious backdoor in a critical compression tool, compromising numerous systems through its SSH functionalities.

The sophistication and patience of the attack suggest possible state sponsorship or a highly organized criminal entity aiming for long-term infiltration rather than immediate gain. This incident serves as a stark reminder of the need for rigorous security practices in software development and maintenance, including regular code audits, diversified maintainer teams, and heightened scrutiny of contributions to critical infrastructure components. As reliance on open-source software continues to grow, the community must strengthen its defenses against such insidious threats to prevent exploitation of its foundational elements.

In light of these revelations, organizations and individuals alike should reevaluate their security strategies, particularly around the integration and updating of open-source software, to safeguard against similar vulnerabilities in the future.

https://www.techrepublic.com/article/xz-backdoor-linux/
https://www.akamai.com/blog/security-research/critical-linux-backdoor-xz-utils-discovered-what-to-know
https://www.youtube.com/watch?v=0pT-dWpmwhA&pp=ygUHdGhlbyB4eg%3D%3D
https://www.youtube.com/watch?v=jqjtNDtbDNI&pp=ygUMeHogcHJpbWVnZWFuhttps://www.youtube.com/watch?v=vV_WdTBbww4&pp=ygUMeHogcHJpbWVnZWFu
https://www.youtube.com/watch?v=LaRKIwpGPTU&t=3238s&pp=ygUMeHogcHJpbWVnZWFu
https://www.youtube.com/watch?v=H_XNSDneR5g&pp=ygUWeHogcHJpbWVnZWFuIGxvdyBsZXZlbA%3D%3D

Top comments (0)