- Last Week As A vCISO
- Posts
- How Close We Came to a Digital Apocalypse
How Close We Came to a Digital Apocalypse
A backdoor to the internet was thwarted, by accident!
So in case you were on a silent retreat or away on vacation, some shocking news came out last week…
A vulnerability was implanted into a little known Linux library that opened an RCE (Remote Code Exploit) backdoor into any server running SSH. The vulnerability was a long tail attack of at least TWO years in the making. It’s been dubbed the XZ attack based on the library (xz-utils) that was affected.
Yes, you can now say THIS is a sophisticated attack. (I don’t use this term lightly). There were multiple “personalities” at play and this person had to build up a reputation to infiltrate the open source community and add this contribution.
Oh, and the worse part of all, it was discovered by accident due to a slow SSH login by a Microsoft engineer working on the project.
The backdoor works by allowing someone with a specific private key to execute commands from anywhere.
Keep in mind, the vulnerability DID make it into source and was shipped.
However it was detected within a few weeks, and unless you are updating your servers nightly, most people were not affected.
So because organizations are slow to update, we were saved? 🤦🏽
This is part of a class of attack called Supply Chain attacks. It’s not the first time this class of attack, but it’s the first time we know about such an attack at wide scale.
A notable example is the Codecov attack where a CI/CD provider was breached and thus was able to extract secrets and environment variable for customers images and builds. (I remember working on this incident!)
Let’s not forget Solarwinds, and many other supply chain attacks. Also let’s not underestimate nation state attacks like Stuxnet and Operation Aurora.
Some Questions To Ask
How many attacks like this exist that we don’t know about?
What are we going to do differently?
Why are we so shocked about this? It was only a matter of time.
So folks who are wringing their hands over the xz backdoor… What are we going to do differently to stop this in the future? My guess is we will preach and pontificate but not actually do anything useful…just like we always do!
— Charlie Miller (@0xcharlie)
4:54 AM • Apr 1, 2024
XZ Attack Links and Research
I’ve sifted through a bunch of articles and posts on the topic and left a bookmark of all the links here for you to enjoy.
Original discovery of attack
Attack Timeline
Actual Contribution
FAQ
Deep Dive On The Attack
🔍XZ Detector By Binarly
The tool detects implementation of IFUNC and is based on behavioral analysis.
🧑🏽💻Test Out XZ Yourself!
Someone created a honeypot and exploit demo!
Independent Timezone Analysis Of Commits
Based on the activity of the attacker, it seems they worked a 9-6 job and took Holidays as well.
Thanks for reading!
ps. Is there a link you think I should add? Reply back and let me know!
📢 I’m pre-launching by vCISO Training Course and looking for the first 5-10 beta students in the next 10 days. I will be teaching the class live for a heavily discounted price. It’s geared for CISO’s and Security Leaders looking to go out on their own part-time or full-time and save time getting started. Fill out this form here for more info.
Reply