XZ Utils: How a Major Cybersecurity Disaster Was Narrowly Avoided

A malicious actor created a Linux backdoor that could have caused untold damage. Their plan was foiled at the last minute.

An enormous cyber-attack that would have had a catastrophic impact on millions of computer systems across the planet was thwarted over the weekend by a lone researcher, who spotted a backdoor in the code for a widely used data compression tool.

Worryingly, the operation that facilitated the backdoor was persistent, highly sophisticated, and included some unique social engineering techniques — with the perpetrator masquerading as a legitimate developer for years.

If the researcher hadn’t caught on and one of the two compromised versions of XZ Utils had got into a production release for any major Linux distro, then the number of devices it could have impacted would have amounted to a serious security disaster.

XZ Utils: The Backdoor That (Almost) Shook the World

Now tracked as CVE-2024-3094 by security researchers, the backdoor (a covert way to bypass authentication and encryption measures) was discovered by Microsoft engineer Andres Freund, who noticed some unusual errors and performance issues while working on a system running Debian.

It was created by a threat actor by inserting malicious code into the open-source library for XZ Utils, a data compression utility built into a huge range of Linux distributions and widely popular with developers.

The backdoor targeted SSH — the Secure Shell Protocol — one of the world’s most commonly used tools for authenticating and encrypting connections between devices. The backdoor allowed attackers to seize control of target devices and use them like an administrator.

Luckily, the issue was discovered before it was put into any stable production versions of Linux, which would have been catastrophic. It wasn’t far off either, coming very close to being installed in Debian and Red Hat, two hugely popular distros.

Surfshark logo🔎 Want to browse the web privately? 🌎 Or appear as if you're in another country?
Get a huge 86% off Surfshark with this special tech.co offer.See deal button

Cloud security firm Akamai said that, had the threat actor been successful, the potential consequences would have “dwarfed” the Solar Winds backdoor.

Sophisticated Operation Almost Comes off

Concerningly, the evidence at this stage points to the malicious behavior being a long-term project, which points strongly to the idea that it may have been a state-sponsored operation.

According to Akamai, the threat actor started to add to the project almost two years ago, “slowly building credibility until they were given maintainer responsibilities,” which made it possible to code the backdoor. Wired traces their influence on GitHub back to 2021, when they made their first known commit on the platform.

To obtain these privileges quickly, the threat actor bombarded the good-faith maintainers with feature requests and bugs, creating a fake demand for an additional maintainer role.

The Github repository where the code was being stored has since been disabled. Akamai says the code was “relatively hidden” by only being included in source code tarball releases rather than the public git repository.

Avoiding the Backdoor

Luckily, the vulnerability is only present in the most recent releases of XZ Utils: 5.6.0 and 5.6.1. The latter release actually includes a more refined version of the backdoor.

The recommended course of action for people using impacted Linux distributions is to downgrade to the most recent, unaffected versions of the tool.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Written by:
Aaron Drapkin is Tech.co's Content Manager. He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol six years ago. Aaron's focus areas include VPNs, cybersecurity, AI and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, Cybernews, Lifewire, HR News and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, ProPrivacy, The Week, and Politics.co.uk covering a wide range of topics.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals