The discovery of a sophisticated backdoor lurking within the popular xz/liblzma compression software recently sent shockwaves through the cybersecurity and opensource community. Today, CISA (the Cybersecurity and Infrastructure Security Agency) has issued an urgent alert and a set of recommendations to address this critical vulnerability. This incident highlights the ever-present danger of supply chain attacks and the importance of constant vigilance.
The Attack
Injection: The backdoor was subtly introduced in version 5.6.0 of the xz source code in Feb 24, 2023.
Activation: The attack code patches SSH server in memory. Upon activation, the malicious code changes the entry point of RSA_public_decrypt to point to its own code. This allows the attacker to have unauthorized access via SSH.
Scope: The vulnerability is tracked as CVE-2024-3094. XZ Utils versions 5.6.0 and 5.6.1 contain the malicious code. The initial report to Debian kicked off a cascade of alerts across Linux distributions. Other Linux distros, such as Kali, Fedora, are also affected.
Adversary's Dedication
What makes this supply chain attack particular interesting is that the Adversary's Dedication.
The malicious code was checked in by JiaT75, one active XZ project's developer who has been contributing into the project for the past 2 years. The motives behind this action are currently a subject of intense speculation, with possibilities ranging from a deliberate insider threat possibly associated with state-sponsored actors or organized crime, to the compromise of the developer's account.
The current evidence suggests a deliberate act by the developer. Notably, the individual behind this intrusion made concerted efforts to have xz 5.6.x incorporated into Fedora versions 40 & 41, citing "great new features" as a rationale. Moreover, this person recently introduced a SECURITY.md file to the xz-java project, advocating for private reporting of security vulnerabilities. This request, in hindsight, seems to be a strategic move to delay public disclosure and thereby extend the window for exploiting the vulnerability.
This incident somewhat bears the hallmarks of an insider/admin attack, given the attacker's role as an active contributor and releaser within the XZ project. This situation presents a formidable challenge for all existing supply chain security measures like Software Bill of Materials (SBOM), highlighting the difficulty in safeguarding against such sophisticated insider threats. There is simple No Silver Bullet.
The Importance of Asset Inventory
During a cyberattack, a meticulously maintained inventory of digital assets (software, hardware, data) becomes your most valuable tool to response and remediate. Specifically it is important to build your inventory regarding to 3rd party software component dependencies, or sometimes 4th party dependencies.
Also, stay up-to-date on exploits alert via via sources such as CISA is also critical.
Conclusion
The xz/liblzma backdoor and CISA's urgent alert underscore that cybersecurity is an ongoing battle. While perfect prevention might be elusive, a combination of vigilance, such as asset inventory and exploit alert, would drastically enhance your ability to response to such attacks.