An enormous cyber-attack that would have had a catastrophic impact on millions of computer systems across the planet was thwarted over the weekend by a lone researcher, who spotted a backdoor in the code for a widely used data compression tool.
Worryingly, the operation that facilitated the backdoor was persistent, highly sophisticated, and included some unique social engineering techniques — with the perpetrator masquerading as a legitimate developer for years.
If the researcher hadn’t caught on and one of the two compromised versions of XZ Utils had got into a production release for any major Linux distro, then the number of devices it could have impacted would have amounted to a serious security disaster.
XZ Utils: The Backdoor That (Almost) Shook the World
Now tracked as CVE-2024-3094 by security researchers, the backdoor (a covert way to bypass authentication and encryption measures) was discovered by Microsoft engineer Andres Freund, who noticed some unusual errors and performance issues while working on a system running Debian.
It was created by a threat actor by inserting malicious code into the open-source library for XZ Utils, a data compression utility built into a huge range of Linux distributions and widely popular with developers.
The backdoor targeted SSH — the Secure Shell Protocol — one of the world’s most commonly used tools for authenticating and encrypting connections between devices. The backdoor allowed attackers to seize control of target devices and use them like an administrator.
Luckily, the issue was discovered before it was put into any stable production versions of Linux, which would have been catastrophic. It wasn’t far off either, coming very close to being installed in Debian and Red Hat, two hugely popular distros.
🔎 Want to browse the web privately? 🌎 Or appear as if you're in another country?
Get a huge 86% off Surfshark with this special tech.co offer.
Cloud security firm Akamai said that, had the threat actor been successful, the potential consequences would have “dwarfed” the Solar Winds backdoor.
Sophisticated Operation Almost Comes off
Concerningly, the evidence at this stage points to the malicious behavior being a long-term project, which points strongly to the idea that it may have been a state-sponsored operation.
According to Akamai, the threat actor started to add to the project almost two years ago, “slowly building credibility until they were given maintainer responsibilities,” which made it possible to code the backdoor. Wired traces their influence on GitHub back to 2021, when they made their first known commit on the platform.
To obtain these privileges quickly, the threat actor bombarded the good-faith maintainers with feature requests and bugs, creating a fake demand for an additional maintainer role.
The Github repository where the code was being stored has since been disabled. Akamai says the code was “relatively hidden” by only being included in source code tarball releases rather than the public git repository.
Avoiding the Backdoor
Luckily, the vulnerability is only present in the most recent releases of XZ Utils: 5.6.0 and 5.6.1. The latter release actually includes a more refined version of the backdoor.
The recommended course of action for people using impacted Linux distributions is to downgrade to the most recent, unaffected versions of the tool.
