Attacker Social-Engineered Backdoor Code Into XZ Utils

  /     /     /  
Publicated : 23/11/2024   Category : security


Attacker Social-Engineered Backdoor Code Into XZ Utils


Unlike the SolarWinds and CodeCov incidents, all that it took for an adversary to nearly pull off a massive supply chain attack was some slick social engineering and a string of pressure emails.



An adversary doesnt need sophisticated technical skills to execute a broad software supply chain attack like the ones experienced by SolarWinds and CodeCov. Sometimes, all it takes is a little bit of time and ingenius social engineering.
That appears to have been the case with whoever introduced a backdoor in the
XZ Utils open source data compression utility
in Linux systems earlier this year.
Analysis of the incident
from Kaspersky this week, and similar reports from others in recent days, identified the attacker as relying almost entirely on social manipulation to
slip the backdoor
into the utility.
Ominously, it may be a model that attackers are using to slip similar malware into other widely used open source projects and components.
In an alert last week, the Open Source Security Foundation (OSSF) warned of the XZ Utils attack likely not being an isolated incident. The advisory identified at least one other instance where an
adversary employed tactics similar to the one used on XZ Utils
to take over the OpenJS Foundation for JavaScript projects.
The OSSF and OpenJS Foundations are calling all open source maintainers to be alert for social engineering takeover attempts, to recognize the early threat patterns emerging, and to take steps to protect their open source projects, the OSSF alert said.
A developer from Microsoft discovered the backdoor in newer versions of an XZ library called liblzma while investigating odd behavior around a Debian installation. At the time, only unstable and beta releases of Fedora, Debian, Kali, openSUSE, and Arch Linux versions had the backdoored library, meaning it was virtually a non-issue for most Linux users.
But the manner in which the attacker introduced the backdoor is especially troubling, Kasperksy said. One of the key differentiators of the SolarWinds incident from prior supply chain attacks was the adversary’s covert, prolonged access to the source/development environment, Kaspersky said. In this XZ Utils incident, this prolonged access was obtained via social engineering and extended with fictitious human identity interactions in plain sight.
The attack appears to have begun in October 2021, when an individual using the handle Jia Tan submitted an innocuous patch to the single-person XZ Utils project. Over the next few weeks and months, the Jia Tan account submitted multiple similar harmless patches (described in detail in this
timeline
) to the XZ Utils project, which its sole maintainer, an individual named Lasse Collins, eventually began merging into the utility.
Starting in April 2022, a couple of other personas — one using the handle Jigar Kumar and the other Dennis Ens — began sending emails to Collins, pressuring him to integrate Tans patches into XZ Utils at a faster pace.
The Jigar Kumar and Dennis Ens personas gradually ratcheted up the pressure on Collins, eventually asking him to add another maintainer to the project. Collins at one point reaffirmed his interest in maintaining the project but confessed to being constrained by long-term mental health issues. Eventually, Collins succumbed to the pressure from Kumar and Ens and gave Jia Tan commit access to the project and the authority to make changes to the code.
Their goal was to grant full access to XZ Utils source code to Jia Tan and subtly introduce malicious code into XZ Utils, Kaspersky said. The identities even interact with one another on mail threads, complaining about the need to replace Lasse Collin as the XZ Utils maintainer. The different personas in the attack — Jia Tan, Jigar Kumar, and Dennis Ens — appear to have deliberately been made to look like they were from different geographies, to dispel any doubts about their working in concert. Another individual, or persona, Hans Jansen, surfaced briefly in June 2023 with some new performance optimization code for XZ Utils that ended up being integrated into the utility.
Jia Tan introduced the backdoor binary into the utility in February 2024 after gaining control of the XZ Util maintenance tasks. Following that, the Jansen character resurfaced — along with two other personas — each pressuring major Linux distributors to introduce the backdoored utility into their distribution, Kasperksy said.
Whats not entirely clear is if the attack involved a small team of actors or a single individual who successfully managed several

identities and manipulated the maintainer into giving them the right to make code changes to the project.
Kurt Baumgartner, principal researcher at Kaspersky’s global research and analysis team, tells Dark Reading that additional data sources, including login and netflow data, could help aid in the investigation of the identities involved in the attack. The world of open source is a wildly open one, he says, enabling murky identities to contribute questionable code to projects that are major dependencies.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Attacker Social-Engineered Backdoor Code Into XZ Utils