A backdoor has been discovered in the XZ Utils library, affecting Linux distributions. The malicious code allows unauthorized access to SSH servers, compromising security. Red Hat and CISAgov have warned about the supply chain compromise, with the backdoor traced to upstream xz/liblzma. The backdoor was introduced by a mysterious contributor, JiaT75, over two years, leading to a potential remote code execution threat. The discovery was made by a software engineer who noticed unusual system behavior, highlighting the importance of open-source security and individual vigilance.
xz Utils Backdoor https://t.co/zXcZBcZ7RD
xz Utils Backdoor: https://t.co/sU8d3sClOj by Schneier on Security #infosec #cybersecurity #technology #news
A timeline of the attack on open-source project XZ Utils, which began in late 2021 and led to a backdoor with RCE in Linux distros from Debian, Red Hat, others (research!rsc) https://t.co/deU8oMx1rJ 📫 Subscribe: https://t.co/OyWeKSRpIM https://t.co/Hrt92Fg4MZ
Some Relief For Linux Admins Living In Terror Of The XZ Backdoor https://t.co/trRJ76oKaf
🗳️ My response to the XZ Backdoor supply chain attack is it was
Collecting news and tools about the XZ backdoor: https://t.co/ImD2qtMAJn
One striking thing about the xz backdoor is how the uncool, mean standards of behavior common in FOSS, that many of us decried for years, & that many defended as authentic, tough, etc., ended up being not just exclusionary loser behavior, but a significant attack surface.
Very detailed breakdown of the xz exploit here https://t.co/4WUmvR0ZX9
This xz utils exploit is wild, unbelievably complex just from a technical perspective. And the social engineering that went into gaining control of the repo? Wew.
The tale of a #Microsoft developer who uncovered a hidden #Linux backdoor, preventing a potential widespread security disaster 👀 https://t.co/yfQPvVPBoQ
Trusted Contributor Plants Sophisticated Backdoor in Critical Open-Source Library https://t.co/ndRQksphg5
My piece on a remarkable multi-year campaign by unknown attackers to create a surreptitious backdoor into the world's internet servers via the Linux operating system. Bonus: I think the first time @xkcd has featured in @TheEconomist for more than a decade. https://t.co/EqcdIaYOGI https://t.co/FVwFAUijBH
The XZ backdoor happened. But the culprit ARE NOT: 1) open source, 2) burnout. A resourceful Agency would find a way. https://t.co/KdZPeuOgAu
Malicious Code in XZ Utils for Linux Systems Enables Remote Code Execution: https://t.co/JxQrGqg7j5 by The Hacker News #infosec #cybersecurity #technology #news
🛑 Malicious code discovered in widely used #Linux tool XZ Utils could lead to remote code execution. The incident underscores the dangers of open-source software reliance. Read now: https://t.co/6fl2E3csLZ If you use Linux, take action NOW.
4-2-2024 ($) •The XZ Backdoor •What Happened •Open Source Safety https://t.co/74YQF81fce
Xzbot : Notes, honeypot, and exploit demo for the xz backdoor : https://t.co/nvODhq6FQr Timeline of the xz open source attack : https://t.co/E5s9nNqOZq The xz attack shell script : https://t.co/BKwv6DjVmy https://t.co/mMWZ8OWLFk
Timeline of the xz open source attack : https://t.co/E5s9nNqOZq
Malicious Code in Linux xz Libraries Endangers SSH: https://t.co/54djk0D6M9…… via @thenewstack & @sjvn For the first time, it appears that an important #Linux utility's maintainer deliberately placed malware in his code. #securit
Xzbot: exploit demo for the xz backdoor (CVE-2024-3094) https://t.co/aNSICUPU1u
The XZ Backdoor: Everything You Need to Know https://t.co/cPlPexaxjS
The xz attack was not because it was open source. The attack failed because it was open source. The way this attack works for non-open source is the attacker spends 2 years getting an agent hired by contract software development vendor, they sneak it in, nobody finds out.
🗞 In @404mediaco: @alexstamos, our Chief Trust Officer, on the xz Utils backdoor. To learn more, read the full article by @jason_koebler: https://t.co/vpO1nDYTyA https://t.co/bDgH7Atl3e
If you're wondering how the xz backdoor could happen... Once again we're talking about an open source project that is used the world over, and yet has one struggling lone maintainer who appears to have been preyed upon by a sophisticated adversary See below for more https://t.co/SVNRieoMdS
XZ Utils Backdoor Implanted in Carefully Executed, Multiyear Supply Chain Attack: https://t.co/prLBDyvs73 by darkreading #infosec #cybersecurity #technology #news
Malicious xz backdoor reveals fragility of open source https://t.co/Fvg7LdgfFd
So... to be clear the discovery of the xz backdoor was not due to security culture or anything like that. It was due to one guy who noticed that a server had substantial CPU overusage who also had the individual curiosity and skill to investigate.
My obit for Ross Anderson, who leaves a giant smokkng crater in the fields of security engineering and digital rights activism : https://t.co/KyzBbQ5roC
Last Friday, March 29, a backdoor vulnerability in XZ Utils was discovered, resulting in widespread effects. Read the blog as HackerOne experts break down its impacts and show how we take the critical task of securing open source from talk to action. 🙌 https://t.co/Q4GQ0luRGU https://t.co/ivl7LmQsng
Linux xz Backdoor Damage Could Be Greater Than Feared: https://t.co/hl2pzZ1SUF via @thenewstack
Last week, malicious code affecting the latest version of the “xz” tools & libraries were identified by researchers. @anacondainc products & packages were not impacted by this incident & our customers are safe. Read more on this threat here 🔗 https://t.co/efEYooD7Dk
In light of the xz backdoor, and media picking up on this related research, we'll reshare the following: When AI code assistants repeatedly recommend packages that don't exist, when those dependencies are created, they are perfect for introducing malware https://t.co/VwE2KYZ3p5
📢 If you haven't heard by now, there's a new big security vulnerability: CVE-2024-3094 aka the libxz-utils backdoor. 😳 What's most shocking? The backdoor was introduced by none other than Jia Tan, a long-time maintainer of the XZ library. Per https://t.co/vIbo6rncKz the… https://t.co/eELOkLrX5L
Malicious Code in Linux xz Libraries Endangers SSH https://t.co/3dnQQFS2ez @sjvn #Vulnerability #MaliciousCode #xzLibraries #SSH
I've been reverse engineering the xz backdoor this weekend and have documented the payload format and written a proof-of-concept exploit for the RCE. The payloads are signed with an ED448 key, so I patched my own key into the backdoor for testing. :-) https://t.co/CvKo3xPRkP https://t.co/HDrFYCHoqp
Very sad to hear about @rossjanderson 's sudden passing. I learned a lot from him during my visit at Cambridge last month. He was very generous with his time. His impact on the security community will continue to be felt for many years. Thinking about his family and close ones. https://t.co/SCL2h6PDtS
Supply Chain Attack: Major Linux Distributions Impacted by XZ Utils Backdoor #cybersecurity https://t.co/Mp7v09syoJ
Linux xz Backdoor Damage Could Be Greater Than Feared https://t.co/2GKt9aLTUk @joab_jackson #Linux #xz #MaliciousCode #Vulnerability
RIP Ross Anderson, who made cybersecurity more realistic https://t.co/5rTB4i6qqT
An ssh honeypot with the XZ backdoor. CVE-2024-3094 https://t.co/XRxRmGP3oU
Security researchers uncovered a potentially devastating backdoor embedded in many Linux operating systems. Read about it here. https://t.co/nNlPczY7XI #Linux | #Tech | #News
What we know about the xz Utils backdoor that almost infected the world https://t.co/4lsG2ISW8P
More about the xz backdoor… https://t.co/s6qV2oyfkF
The xz backdoor… https://t.co/jnfCjz2Fhs
If I were in charge, I would not have coded the xz backdoor. Why? Because I don’t know how.
🚨 Security Alert: CVE-2024-3094 🚨 On March 29th, 2024, a major security flaw was discovered in xz-utils, widely used for compression in Linux and macOS. In our latest blog by @codingo_, you'll uncover the details on the libxz-utils backdoor, timeline, and risk assessment.… https://t.co/wHvAxENILn
Good summary of xz backdoor: https://t.co/NgTzIaFdwJ Worth reading. https://t.co/tSYEDAn32O
Ross Anderson: https://t.co/i61fBRWTv8 by Schneier on Security #infosec #cybersecurity #technology #news
In case people missed it, a engineer who happened to notice a 500ms latency and had free time + skill to investigate, just disrupted an intelligence campaign running for at least a year that would have created a backdoor into most Linux systems in the world. We got really, really… https://t.co/Epm0uupb18
Regarding the XZ backdoor, opensource dependencies, & unpaid maintenance: #BasicIncome is the most effective way to save us all from this & other unforeseen calamities. Unpaid labor holds up society, be it caretaking children, elderly, the disabled, or that essential code library
A mysterious contributor, JiaT75, who planted the xz backdoor helped maintain the widely used compression library for the past two years. So what else was hidden in there? @thenewstack https://t.co/jb93lpVCQZ #JianTan
Linux xz Backdoor Damage Could Be Greater Than Feared https://t.co/2GKt9aLTUk #Linux #Security #rce CVE-2024-3094 #RedHat #Debian #Gentoo #Ubuntu #SUSE #ssh
Malicious Code in Linux xz Libraries Endangers SSH: https://t.co/54djk0D6M9 via @thenewstack & @sjvn For the first time, it appears that an important #Linux utility maintainer deliberately placed malware in his code. #security
So apparently the xz backdoor used an Ed448 signature to sign a RCE payload. I’m fascinated by the decision to toss away 48 bytes of payload space on a > 128-bit secure signature. Someone is being very smart or pretty dumb.
Malicious SSH backdoor sneaks into xz, Linux world's data compression library https://t.co/8rsp6OkLft
Technologist Versus Spy: The xz Backdoor Debate https://t.co/VVYWRMg32O
Saw some variations of this xz backdoor meme: "it happened in open source", "it was found by Microsoft employee, aha" aiming to put the open sourcness nature of this as part of the issue... I think this example actually show the exact opposite - why it is so important to have… https://t.co/iyF9Aecx7T
Technologist vs spy: the xz backdoor debate https://t.co/R48BoTy2Da
The xz backdoor was the final part of a campaign that spanned two years of operations. These operations were predominantly HUMINT style agent operations. There was an approach that lasted months before the Jia Tan persona was well positioned to be given a trusted role.
The xz utils backdoor story is absolutely wild and the fact that no major news outlet has so far reported on it shows how limited the public's understanding of digital security issues is. https://t.co/Lcz4lRvUSx
One of the compression formats widely used by Linux distributions, xz-utils, has been implanted with a backdoor that allows hackers to add malicious code that can gain remote unauthorized access. In 2022, an account named Jia Tan began to contribute code and became a major…
The recently-discovered backdoor in `xz-utils` has the open source development community up in arms—and for good reason. ⤵️
“We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor he had added).... with this level of sophistication, we would be suspicious of even older versions of xz until proven otherwise": https://t.co/P39m5Pv3ge #ethics #cybersec
Expert found a backdoor in XZ tools used many Linux distributions: https://t.co/asSwvcgelX by Security Affairs #infosec #cybersecurity #technology #news
xz backdoor https://t.co/TjCbjtIYll
The Xz backdoor highlights all of the good things about open source projects and also all of the vulnerabilities and weirdness associated with relying on essentially random volunteers to build software that huge parts of the internet use https://t.co/1Uvw4u4Xu0
Malicious Code in Linux xz Libraries Endangers SSH https://t.co/3dnQQFS2ez #Linux @sjvn CVE-2024-3094
The xz backdoor just got even *more* interesting… (h/t @FiloSottile ) https://t.co/eV4SA4p6N7
The `xz` package backdoor is just the tip of the iceberg. There's a CONSTANT low-level stream of malware and spyware being uploaded to npm, PyPI, and Go registries. I want to share a few examples from the 20,000+ malicious packages we detected so far: https://t.co/f0FqCeUPqC
The xz backdoor just got even *more* interesting… https://t.co/mOmmDeUfTH
XZ Utils backdoor https://t.co/ItCVWjMfVX
I don’t have anything useful to add about the xz backdoor, but the existence of a function called “RSA_public_decrypt” makes me roll my eyes.
Pro-tip: You can use @SocketSecurity to find out if you were affected by the backdoored `xz` package We built Socket for exactly this use case.
xz backdoor guy obviously sucks, but you gotta feel for them bc that’s 2 years of hard work down the drain foiled by someone randomly noticing a slight sshd perf degradation while benchmarking something completely unrelated 😂
This week’s xz back door is a reminder that every open source author that works on code your org relies on, is a potential insider threat. You’ll never meet them and cannot vet them. We haven’t been solving for this.
Is the xz backdoor story and its reaching mainline OS a suggestion that it may be a good idea to defer non-essential software upgrades? Time to reassess your threat models! Tons of obscure, extremely unremarkable software out there! Not speaking of the NodeJS dependency horror. https://t.co/DwD5W76qUM
My hot take on the xz back door: it’s a success for the community. It took 2 years to sneak it in and it was caught in 1 month before it was in any major distro. It is really hard to backdoor a distro which is pretty cool.
supply chain attacks are becoming quite sophisticated, xz backdoor fiasco is a reminder of how open source dev is in desperate need of revitalization https://t.co/grbVKlKa0f https://t.co/vEUgiYRpSc
The xz backdoor was initially caught by a software engineer at Microsoft. He noticed 500ms lag and thought something was suspicious. This is the Silver Back Gorilla of nerds. The internet final boss. https://t.co/6IyJQ2tpMm
open source security did actually work in the xz situation: some random end user noticed unexpected behavior, investigated, was able to look at source, and found the back door if it was closed source they’d have no idea if it was working as expected or not
for those of you extremely outside the software build ecosystem : a malicious open source dev tried to push an updated library that would allow for a backdoor on almost any linux machine a guy caught it because it slowed his system down unexpectedly and he investigated https://t.co/UZOdQVcprm
Backdoor was found in XZ utilities used by many Linux distros. https://t.co/fP9qLgwCVC #CybersecurityNews
Urgent: Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros https://t.co/bqAx8EpIPf via @TheHackersNews
Urgent: Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros https://t.co/9Jyxn9HhS1
➡️ Sad loss in the tech community! Ross Anderson, Cambridge professor and author of 'Security Engineering,' passes away at 67. https://t.co/ENbpovFGpX
'Security Engineering' Author Ross Anderson, Cambridge Professor, Dies at Age 67 https://t.co/qjxENK5ZKH
Urgent: Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros: https://t.co/xFjWQdKPyY by The Hacker News #infosec #cybersecurity #technology #news
🛑 URGENT SECURITY ALERT! Secret backdoor found in XZ Utils compression library used by major #Linux distros, like Fedora, Kali Linux, and openSUSE. Attackers could breach SSH and take control of systems. https://t.co/lnZC90oC2k Update and review your systems immediately.
🛑URGENT SECURITY ALERT! Secret backdoor found in XZ Utils compression library used by major #Linux distros, like Fedora, Kali Linux, and openSUSE. Attackers could breach SSH and take control of systems. https://t.co/lnZC90oC2k Update and review your systems immediately.
I'm still in shock the xz backdoor happened. But even more surprising is that it got caught because a dev noticed login in to his machine via ssh was taking 0.8s instead of the usual 0.3s and decided to look into it. And he happened to be familiar with the Valgrind situation
a project called xz-utils was found to have secret backdoors in it, introduced over the course of two years by a user(s?) suspected to be a very patient hacker or a nation state actor. the affected code is in many versions of linux, presumably now spread to thousands of machines.
xz 5.6.x has a backdoor. Fix your systems. https://t.co/lSTkmMisqc
🚨 Urgent security alert: Backdoor found in widely used Linux utility - here's how to use Socket to find out if you were affected: https://t.co/W6rPDtXAsZ
A serious backdoor was found in some versions of xz, a really basic package used in Linux. Fortunately it only affects only few distros that have these new versions. Unfortunately I run arch btw, so I am affected. Jokes aside may be lucky and ssh not affected Upgrade! https://t.co/ILM2AR4Wd4
wow someone managed to get a backdoor into xz archlinux just scrubbed all os releases and docker images between Feb/24 and mar/28 upgrade your systems
A backdoor was discovered in the xz compression utility commonly used in Linux distributions and is tracked as CVE-2024-3094, which has a maximum CVSS score of 10. #cybersecurity #infosec #ITsecurity https://t.co/RHStswNZVM
Are You Affected by the Backdoor in XZ Utils?: https://t.co/dj3jccaBd1 by darkreading #infosec #cybersecurity #technology #news
Researchers find malicious code in versions of the Linux compression tool XZ Utils that were incorporated into unstable distributions from Red Hat and Debian (@dangoodin001 / Ars Technica) https://t.co/ZFTD7qkIAW 📫 Subscribe: https://t.co/OyWeKSRpIM https://t.co/21b4nErhka
This is not a drill. Linux users must check their xz installations A remote SSH-based backdoor has been found in the widely used data compression library and tool, and has made its way into public distributions, including recent Fedora and Kali Linux https://t.co/ymiy8GxLG5
Malicious backdoor sneaks into xz, Linux world's data compression library and tool https://t.co/FbTYlm8aUy
🚨 breaking radio silence to deliver a critical warning: the xz upstream tarballs have been backdoored for one month. This is a five alarm fire for everyone who uses Linux. https://t.co/oGz9JvD5er https://t.co/DnvWEVUSV9
The insertion of a backdoor into code used by most Linux distributions was discovered and fixed “before it posed a significant risk to the broader Linux community,” says @RedHat’s @vdanen. @RedHatSecurity https://t.co/2iauHSfKiL
It looks like latest xz in testing had been compromised with a backdoor. https://t.co/qZEKfhyhts And interesting email trail leading up to this: https://t.co/GriZo5IaEl So much of modern tech is built on backs of unpaid hobbyist maintainers :(
I'm deeply saddened by the news of Professor Ross Anderson's @rossjanderson passing. A pillar in security engineering, his work and profound contributions have left an indelible mark. His legacy, like Security Engineering book, will continue to inspire. https://t.co/TTvlsMrNzD
RIP Ross Anderson: https://t.co/fSa7WBWhgd by Light Blue Touchpaper #infosec #cybersecurity #technology #news
So there's a supply chain compromise in the xz library that is backdooring some Linux SSH installations. Goodbye long weekend... https://t.co/Ok7nDZYCMR
This upstream supply chain security attack is the kind of nightmare scenario that has gotten people describing it called hysterical for years. It’s real. Sleep well. backdoor in upstream xz/liblzma leading to ssh server compromise https://t.co/KbL7Cf9xyk
Upstream xz repository and the xz tarballs have been backdoored. Very serious security risk because xz is used for compression ... very widely. It makes a ssh server backdoored. This is very serious. Happens...? https://t.co/kyv5KgN6Su. Backdoor execution: https://t.co/looldQV9zz https://t.co/KISYY6vBH2
Backdoor found in widely used Linux utility breaks encrypted SSH connections https://t.co/IbxiDumu74
Ross Anderson, RIP I am so sad about the passing of Ross Anderson on 28 March 2024. He was truly one of the most amazing cryptographers in the world. https://t.co/1BhkmNAK8g https://t.co/jMtwvRm4c5
Red Hat (@RedHat) and @CISAgov are warning about a supply chain compromise of XZ Utils software affecting Linux distributions. https://t.co/PzMHQxlxgq
I'm sad to hear Ross Anderson has died. He was so prolific and always a kind person to me: https://t.co/pVacnssX6l https://t.co/zZ3M3l1CtR
😱 https://t.co/JGAQzthXzF That’s a pretty clever backdoor and a subtle path from xz to sshd… The commits were authorized commits into the authentic upstream repo, so it’s an example of a good repo gone bad. Pretty scary. Pragmatic defense advice: *minimal* version selection.
wild stuff re: xz/liblzma backdoor https://t.co/aBenGeQlLk https://t.co/BNSjjXuNxm
xz repo and tarballs allegedly compromised: "backdoor in upstream xz/liblzma leading to ssh server compromise" https://t.co/59bkIXR1o8 #infosec #xz
Just a backdoor in XZ. Nothing important. https://t.co/ZgaPSE5fK8
Urgent Security Alert: XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access XZ 5.6.0/5.6.1 contains malicious code allowing malicious actors to break SSHD authentication. https://t.co/sC7K4BuqkR
Backdoor in upstream xz/liblzma leading to ssh server compromise https://t.co/29Vfiz0n1T
Ross Anderson cared deeply about the human outcomes of security & policy. He did not focus his brilliance on amassing tech wealth but instead on the hardest challenges, using nuanced technical insights in fighting to protect the vulnerable. What a terrible loss for us all. 🫂❤️🩹
Prof Ross Anderson, RIP https://t.co/rFXz6NAnFx #RossAnderson