Security: Why the "XZ backdoor" is worrying

spO0q - Apr 20 - - Dev Community

The recent attempt to compromise XZ, a library included in many Linux distributions out of the box, is worrying.

What's the point?

As far as I know, the attackers aimed to compromise the SSH daemon and ultimately expose vulnerable machines to the internet through SSH.

Any Linux machine running popular distributions, such as Ubuntu, would have been compromised:

Fortunately, it failed, but we're lucky, as the engineer who discovered the anomaly was not looking for security flaws.

Source: Openwall

The technical aspect might not be the scariest part

Of course, you might disagree with me, as this backdoor includes sophisticated obfuscation and a complex execution process, which is probably how APT (Advanced Persistent Threat) and other sponsored groups would operate.

Indeed, it is quite technical. However, the social engineering part looks even more complex in this case.

They started the social engineering attack two years ago

The threat actor managed to build enough credibility to become a co-maintainer of the project.

However, it was achieved in a very twisted way. They just bullied legitimate core maintainers to urge them to accept the (malicious) help of a generous opensource contributor.

They used multiple accounts to create the illusion that many users and organizations desperately needed some features. They accused legitimate contributors publicly of jeopardizing the project.

Opensource contributors usually want to do a good deed, which makes such attacks pretty efficient.

Some maintainers even helped fix bugs introduced by the backdoor (e.g., Fedora).

"Social engineering attacks are not sophisticated"

Some security specialists keep saying that SE attacks are not sophisticated, as it only relies on the human factor, which is often the weakest link.

Well, what do you mean by "sophisticated"?

I mean, in this case, they practically exploited the burnout of opensource maintainers and the core functioning of major online projects in the supply chain, reshaping the reality to put the pressure on people of good will.

It took them two years (from 2022 to 2024) to set up their evil plan, and they broke several layers of validation and security.

What does it mean for opensource and developers?

Unlike proprietary software, opensource software is auditable by anyone.

While it's a bit unlikely, it's still probable that someone will spot unwanted behaviors while running obscure benchmarks on very specific configurations.

Such highly-evasive attacks are difficult to understand in the end (at least, to me), but hurry seems a common pattern: at some point, someone will urge someone else to implement/build/publish something.

Take your time. Nobody will blame you for being too cautious, but if that happens, that's a huge red sign.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .