XZ Backdoor: Timeline and Overview

in Hot News Community3 months ago

q0sz59brpsnroo0viect.png
Here is the timeline and overview of the XZ backdoor attack:

Timeline

2021:

  • Someone using the name "Jia Tan" (username JiaT75) starts preparing for an attack on XZ Utils by making fake online accounts and getting involved in the XZ community to build trust.
  • Jia Tan makes their first known commit to an open source project, a suspicious change to the libarchive project.

2022:

  • Feb 6: Jia Tan submits a first legitimate commit to the XZ repository.
  • Apr-Jun: Fake accounts like "Jigar Kumar" pressure XZ maintainer Lasse Collin to add Jia Tan as a maintainer, claiming Collin has lost interest.
  • Jun 8: Collin says his ability to maintain XZ is limited due to mental health issues and that he values Jia Tan's contributions.
  • Nov 30: Collin changes the XZ bug reporting email to include Jia Tan.

2023:

  • Jan 11: Collin releases his final XZ version, 5.4.1.
  • Jan: Jia Tan makes their first commit to XZ Utils after earning trust.
  • Mar 18: Jia Tan builds and releases XZ 5.4.2.
  • Jun-Jul: Changes made to XZ, including an ifunc implementation, possibly setting the ground for the attack.
  • Jul 8: Jia Tan disables ifunc fuzzing in oss-fuzz to prevent detection of upcoming malicious changes.

2024:

  • Feb: Jia Tan adds obfuscated backdoor code and releases compromised versions 5.6.0 and 5.6.1. The malicious versions are pulled into Debian, Fedora, Gentoo, Arch and openSUSE.
  • Mar 28: Andres Freund discovers the backdoor while troubleshooting SSH issues. Debian and distributions are privately notified.
  • Mar 29: Freund posts a public warning about the backdoor. RedHat announces the backdoored versions shipped in Fedora.
  • Mar 30: Debian shuts down package builds to rebuild on clean machines.
  • Apr 1-3: Security researchers analyze the backdoor and publish detailed reports.

Overview

cod8ztv1bcl59cxscnpb.png

The XZ backdoor was a supply chain attack where an attacker, going by "Jia Tan", spent over 2 years building trust and gaining maintainer access to the widely used XZ Utils compression library.

In early 2024, Jia Tan used their privileged access to hide sophisticated backdoor code in XZ releases 5.6.0 and 5.6.1. The backdoor allowed remote code execution and SSH access to any system with the vulnerable XZ versions.

The compromised code made its way into several major Linux distributions like Debian and Fedora before it was discovered on March 28, 2024 by Andres Freund while investigating SSH performance issues.

Freund privately notified distributions and then publicly disclosed the backdoor on March 29. This set off a scramble to analyze the malware, rebuild clean systems, and release patched versions.

The attack demonstrated the major impact a backdoor in a core open-source library can have. Researchers called it a "nightmare scenario" and possibly "the best executed supply chain attack" seen in the open source world. The identity and affiliations of "Jia Tan" remain unknown.

#xzbackdoor #supplychainattack #opensourcesecurity #linuxsecurity #malware #cybersecurity #informationsecurity
3 months ago in Hot News Community by
$0.04
  • Past Payouts $0.04, 0.00 TRX
  • - Author $0.02, 0.00 TRX
  • - Curators $0.02, 0.00 TRX
4 votes
Reply 0

Coin Marketplace

STEEM 0.17
TRX 0.12
JST 0.027
BTC 55173.73
ETH 2879.85
USDT 1.00
SBD 2.30