A backdoor was discovered in the xz compression utility commonly used in Linux distributions, tracked as CVE-2024-3094 with a maximum CVSS score of 10. The malicious code was found by a Microsoft engineer, Andres Freund, preventing potential widespread infections. The backdoor was part of a campaign spanning two years and was linked to a contributor named Jia Tan, who had a major role in the project. The discovery was made by an engineer who noticed unusual server CPU usage, leading to the prevention of a significant security threat.
Software Engineer Stops Attempt to Add Backdoor to Linux Operating Systems https://t.co/Q3AAiGHfPf
‘XZ Utils’ Open-Source Software Threat Prompts Concern https://t.co/xflQza76rs
The Linux xz Backdoor Episode: An Open Source Mystery https://t.co/1QY9Jjl5sG @alexwilliams #Linux #xzBackdoor #OpenSource #vulnerabilities
🗞 In @nytimes: "'This could have been the most widespread and effective backdoor ever planted in any software product,'” said @alexstamos, the chief trust officer at SentinelOne, a cybersecurity research firm. If [the XZ backdoor] had gone undetected, Mr. Stamos said, the…
⚡ Critical Supply Chain Compromise: Backdoor in XZ Utils allows RCE. See how to detect and mitigate CVE-2024-3094, a critical supply chain compromise, affecting XZ Utils Data compression library. Read: https://t.co/COTiT9qPtd #cybersecurity #infosecurity
The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind : https://t.co/8u98xZwHk9
XZ backdoor found in CSS 🤯 https://t.co/6T2Jsmuap4
Unzipping the XZ Backdoor and Its Lessons for Open Source https://t.co/UY1E7XwnNL @dvdmelamed @jit_io #Sponsored #XZbackdoor #OpenSource #vulnerabilities
Interesting article on the attribution of the xz backdoor https://t.co/ZE4ocmDLRf https://t.co/dF1xKY7qZC
Future XZ-style backdoors will be a much bigger problem as AI programmers become truly useful as open source contributors Agents will grow reputation over long periods before attacking
Future XZ-style backdoors from trusted contributors will be a much bigger problem as AI programmers become truly useful as open source contributors Agents will grow reputation over long periods before attacking
I just read the most recent analysis of #xzbackdoor and how it was wormed in, and my takeaway is Autotools delenda est. Right now. 1/
"By January 2023, Jia Tan’s code was being integrated into XZ Utils. Over the next year, they would largely take control of the project from its original maintainer,... a change driven in part by nagging emails sent to [him] by a handful of users complaining about slow updates." https://t.co/9GL9hpaQ6m
Entitlement as a security issue—“The Xz backdoor and a near miss on the F-Droid app store show how the entitled attitude of some people in the open source community can be used to push malicious or insecure code.” https://t.co/qtTdWieDRB
Bullying in open source software is a massive security risk, as shown by the Xz backdoor, a near-miss at F-Droid, and as repeatedly pointed out by people trying to change the culture of FOSS over the years: https://t.co/DQzGuUDLua
Thinking a lot about the xz backdoor this week. Almost exactly 10 years ago, I wrote this about the Heartbleed attack and how we should do more to support OSS, especially for important libraries. Sadly, almost all of what I wrote then is still relevant. https://t.co/Hfse8Bh5Oz
What we know about the xz Utils backdoor that almost infected the world | https://t.co/XIt8TpnmSz
A #backdoor was discovered in a widely used compression library for #LinuxDistributions, revealing a complex #SupplyChain attack. ⚠️ https://t.co/QR4rnvLYs0
A look at XZ Utils attacker "Jia Tan", a persona experts say was used by a nation state group and that left little trace after working on the project since 2021 (Wired) https://t.co/R1DPacVGFd 📫 Subscribe: https://t.co/OyWeKSRpIM https://t.co/W7KrKQj28N
The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind https://t.co/otGKBUfpiC
The thwarted XZ Utils supply chain attack was years in the making. Now, clues suggest nation-state hackers were behind the persona that inserted the malicious code. https://t.co/cSo0Or46Ic
Xz backdoor is one of the best evidence of open source software development process. The backdoor would have never been spotted in closed-source software. https://t.co/kRfTkTHGkF
The xz utils backdoor story is nuts both from the perspective of how it was introduced and the one in a million way it was discovered. https://t.co/4z0YEb6KwL
Chainguard’s response to CVE-2024-3094, aka the backdoor in xz library https://t.co/jgqyxvQFXh via @chainguard_dev
If the story of the xz backdoor interests you, you should read the old-school version - the book The Cuckoo's Egg by Clifford Stoll (yes, the Klein bottle guy) telling the tale of his 1980s hunt for hackers.
a Microsoft employee stopped a backdoor from exposing Linux systems worldwide. The XZ backdoor could have wreaked absolute havoc on systems https://t.co/rnqo9Yn3om
I’m really glad we found the only backdoor that existed. Whew! #xz
Microsoft FAQ and guidance for XZ Utils backdoor - Microsoft Community Hub https://t.co/0KGoH2clav
How one volunteer stopped a backdoor from exposing Linux systems worldwide https://t.co/G1CdOdnlXI
New XZ backdoor scanner detects implant in any Linux binary https://t.co/XruLG8W3RV
New XZ Backdoor Scanner Detects Implants In Any Linux Binary https://t.co/sThz89erjH
Dangerous XZ Utils backdoor was the result of years-long supply chain compromise effort https://t.co/JYY2RMPOr5
“This was from the source, the person who was legitimately authorized to publish this was the one that did the attack, which makes it super challenging.” @feross Carefully Crafted Campaign Led to XZ Utils Backdoor https://t.co/EZaquUOkYf #decipher #deciphersec
xz Utils Backdoor https://t.co/zXcZBcZ7RD
xz Utils Backdoor: https://t.co/sU8d3sClOj by Schneier on Security #infosec #cybersecurity #technology #news
A timeline of the attack on open-source project XZ Utils, which began in late 2021 and led to a backdoor with RCE in Linux distros from Debian, Red Hat, others (research!rsc) https://t.co/deU8oMx1rJ 📫 Subscribe: https://t.co/OyWeKSRpIM https://t.co/Hrt92Fg4MZ
Some Relief For Linux Admins Living In Terror Of The XZ Backdoor https://t.co/trRJ76oKaf
🗳️ My response to the XZ Backdoor supply chain attack is it was
Collecting news and tools about the XZ backdoor: https://t.co/ImD2qtMAJn
One striking thing about the xz backdoor is how the uncool, mean standards of behavior common in FOSS, that many of us decried for years, & that many defended as authentic, tough, etc., ended up being not just exclusionary loser behavior, but a significant attack surface.
Very detailed breakdown of the xz exploit here https://t.co/4WUmvR0ZX9
This xz utils exploit is wild, unbelievably complex just from a technical perspective. And the social engineering that went into gaining control of the repo? Wew.
The tale of a #Microsoft developer who uncovered a hidden #Linux backdoor, preventing a potential widespread security disaster 👀 https://t.co/yfQPvVPBoQ
Trusted Contributor Plants Sophisticated Backdoor in Critical Open-Source Library https://t.co/ndRQksphg5
My piece on a remarkable multi-year campaign by unknown attackers to create a surreptitious backdoor into the world's internet servers via the Linux operating system. Bonus: I think the first time @xkcd has featured in @TheEconomist for more than a decade. https://t.co/EqcdIaYOGI https://t.co/FVwFAUijBH
The XZ backdoor happened. But the culprit ARE NOT: 1) open source, 2) burnout. A resourceful Agency would find a way. https://t.co/KdZPeuOgAu
Malicious Code in XZ Utils for Linux Systems Enables Remote Code Execution: https://t.co/JxQrGqg7j5 by The Hacker News #infosec #cybersecurity #technology #news
🛑 Malicious code discovered in widely used #Linux tool XZ Utils could lead to remote code execution. The incident underscores the dangers of open-source software reliance. Read now: https://t.co/6fl2E3csLZ If you use Linux, take action NOW.
4-2-2024 ($) •The XZ Backdoor •What Happened •Open Source Safety https://t.co/74YQF81fce
Xzbot : Notes, honeypot, and exploit demo for the xz backdoor : https://t.co/nvODhq6FQr Timeline of the xz open source attack : https://t.co/E5s9nNqOZq The xz attack shell script : https://t.co/BKwv6DjVmy https://t.co/mMWZ8OWLFk
It’s fascinating to see the stark differences between top-down and influence-based leadership styles reveal themselves in various responses to the xz backdoor and security of the open-source ecosystem.
Timeline of the xz open source attack : https://t.co/E5s9nNqOZq
Malicious Code in Linux xz Libraries Endangers SSH: https://t.co/54djk0D6M9…… via @thenewstack & @sjvn For the first time, it appears that an important #Linux utility's maintainer deliberately placed malware in his code. #securit
Xzbot: exploit demo for the xz backdoor (CVE-2024-3094) https://t.co/aNSICUPU1u
The XZ Backdoor: Everything You Need to Know https://t.co/cPlPexaxjS
The xz attack was not because it was open source. The attack failed because it was open source. The way this attack works for non-open source is the attacker spends 2 years getting an agent hired by contract software development vendor, they sneak it in, nobody finds out.
🗞 In @404mediaco: @alexstamos, our Chief Trust Officer, on the xz Utils backdoor. To learn more, read the full article by @jason_koebler: https://t.co/vpO1nDYTyA https://t.co/bDgH7Atl3e
If you're wondering how the xz backdoor could happen... Once again we're talking about an open source project that is used the world over, and yet has one struggling lone maintainer who appears to have been preyed upon by a sophisticated adversary See below for more https://t.co/SVNRieoMdS
XZ Utils Backdoor Implanted in Carefully Executed, Multiyear Supply Chain Attack: https://t.co/prLBDyvs73 by darkreading #infosec #cybersecurity #technology #news
Malicious xz backdoor reveals fragility of open source https://t.co/Fvg7LdgfFd
So... to be clear the discovery of the xz backdoor was not due to security culture or anything like that. It was due to one guy who noticed that a server had substantial CPU overusage who also had the individual curiosity and skill to investigate.
Last Friday, March 29, a backdoor vulnerability in XZ Utils was discovered, resulting in widespread effects. Read the blog as HackerOne experts break down its impacts and show how we take the critical task of securing open source from talk to action. 🙌 https://t.co/Q4GQ0luRGU https://t.co/ivl7LmQsng
Linux xz Backdoor Damage Could Be Greater Than Feared: https://t.co/hl2pzZ1SUF via @thenewstack
Last week, malicious code affecting the latest version of the “xz” tools & libraries were identified by researchers. @anacondainc products & packages were not impacted by this incident & our customers are safe. Read more on this threat here 🔗 https://t.co/efEYooD7Dk
In light of the xz backdoor, and media picking up on this related research, we'll reshare the following: When AI code assistants repeatedly recommend packages that don't exist, when those dependencies are created, they are perfect for introducing malware https://t.co/VwE2KYZ3p5
"The person or people behind this project likely spent years on it. They were likely very close to seeing the backdoor update merged into #Debian and #RedHat, the two biggest distributions of #Linux": https://t.co/H4DNb3Y8lw #ethics #internet #cybersec #tech
Software Engineer Stops Attempt to Add Backdoor to Linux Operating Systems https://t.co/gqBPiz2REW
In a software supply chain hack described as a “nightmare scenario” by multiple experts, a contributor to an open-source project used by most Linux distributions was responsible for the breach that was nearly disastrous for the IT industry and customers. https://t.co/Uy3dawEqUq
📢 If you haven't heard by now, there's a new big security vulnerability: CVE-2024-3094 aka the libxz-utils backdoor. 😳 What's most shocking? The backdoor was introduced by none other than Jia Tan, a long-time maintainer of the XZ library. Per https://t.co/vIbo6rncKz the… https://t.co/eELOkLrX5L
Malicious Code in Linux xz Libraries Endangers SSH https://t.co/3dnQQFS2ez @sjvn #Vulnerability #MaliciousCode #xzLibraries #SSH
I've been reverse engineering the xz backdoor this weekend and have documented the payload format and written a proof-of-concept exploit for the RCE. The payloads are signed with an ED448 key, so I patched my own key into the backdoor for testing. :-) https://t.co/CvKo3xPRkP https://t.co/HDrFYCHoqp
Supply Chain Attack: Major Linux Distributions Impacted by XZ Utils Backdoor #cybersecurity https://t.co/Mp7v09syoJ
Linux xz Backdoor Damage Could Be Greater Than Feared https://t.co/2GKt9aLTUk @joab_jackson #Linux #xz #MaliciousCode #Vulnerability
An ssh honeypot with the XZ backdoor. CVE-2024-3094 https://t.co/XRxRmGP3oU
Security researchers uncovered a potentially devastating backdoor embedded in many Linux operating systems. Read about it here. https://t.co/nNlPczY7XI #Linux | #Tech | #News
What we know about the xz Utils backdoor that almost infected the world https://t.co/4lsG2ISW8P
More about the xz backdoor… https://t.co/s6qV2oyfkF
The xz backdoor… https://t.co/jnfCjz2Fhs
If I were in charge, I would not have coded the xz backdoor. Why? Because I don’t know how.
🚨 Security Alert: CVE-2024-3094 🚨 On March 29th, 2024, a major security flaw was discovered in xz-utils, widely used for compression in Linux and macOS. In our latest blog by @codingo_, you'll uncover the details on the libxz-utils backdoor, timeline, and risk assessment.… https://t.co/wHvAxENILn
Good summary of xz backdoor: https://t.co/NgTzIaFdwJ Worth reading. https://t.co/tSYEDAn32O
Imagine how many backdoors are undiscovered. I wonder if there’s one running on my computer right now?
In case people missed it, a engineer who happened to notice a 500ms latency and had free time + skill to investigate, just disrupted an intelligence campaign running for at least a year that would have created a backdoor into most Linux systems in the world. We got really, really… https://t.co/Epm0uupb18
Regarding the XZ backdoor, opensource dependencies, & unpaid maintenance: #BasicIncome is the most effective way to save us all from this & other unforeseen calamities. Unpaid labor holds up society, be it caretaking children, elderly, the disabled, or that essential code library
A mysterious contributor, JiaT75, who planted the xz backdoor helped maintain the widely used compression library for the past two years. So what else was hidden in there? @thenewstack https://t.co/jb93lpVCQZ #JianTan
Linux xz Backdoor Damage Could Be Greater Than Feared https://t.co/2GKt9aLTUk #Linux #Security #rce CVE-2024-3094 #RedHat #Debian #Gentoo #Ubuntu #SUSE #ssh
Malicious Code in Linux xz Libraries Endangers SSH: https://t.co/54djk0D6M9 via @thenewstack & @sjvn For the first time, it appears that an important #Linux utility maintainer deliberately placed malware in his code. #security
So apparently the xz backdoor used an Ed448 signature to sign a RCE payload. I’m fascinated by the decision to toss away 48 bytes of payload space on a > 128-bit secure signature. Someone is being very smart or pretty dumb.
Malicious SSH backdoor sneaks into xz, Linux world's data compression library https://t.co/8rsp6OkLft
Technologist Versus Spy: The xz Backdoor Debate https://t.co/VVYWRMg32O
Saw some variations of this xz backdoor meme: "it happened in open source", "it was found by Microsoft employee, aha" aiming to put the open sourcness nature of this as part of the issue... I think this example actually show the exact opposite - why it is so important to have… https://t.co/iyF9Aecx7T
Technologist vs spy: the xz backdoor debate https://t.co/R48BoTy2Da
The xz backdoor was the final part of a campaign that spanned two years of operations. These operations were predominantly HUMINT style agent operations. There was an approach that lasted months before the Jia Tan persona was well positioned to be given a trusted role.
The xz utils backdoor story is absolutely wild and the fact that no major news outlet has so far reported on it shows how limited the public's understanding of digital security issues is. https://t.co/Lcz4lRvUSx
One of the compression formats widely used by Linux distributions, xz-utils, has been implanted with a backdoor that allows hackers to add malicious code that can gain remote unauthorized access. In 2022, an account named Jia Tan began to contribute code and became a major…
Microsoft engineer Andres Freund accidentally found the malicious code in versions of the XZ Utils compression tool, likely preventing thousands of infections (Mike Larkin / Security Boulevard) https://t.co/e1anMVJWNx https://t.co/oAMcDPZpkp
A backdoor was discovered in the xz compression utility commonly used in Linux distributions and is tracked as CVE-2024-3094, which has a maximum CVSS score of 10. #cybersecurity #infosec #ITsecurity https://t.co/RHStswNZVM
The recently-discovered backdoor in `xz-utils` has the open source development community up in arms—and for good reason. ⤵️
“We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor he had added).... with this level of sophistication, we would be suspicious of even older versions of xz until proven otherwise": https://t.co/P39m5Pv3ge #ethics #cybersec