Security News > 2024 > April > XZ Utils Supply Chain Attack: A Threat Actor Spent Two Years to Implement a Linux Backdoor
![XZ Utils Supply Chain Attack: A Threat Actor Spent Two Years to Implement a Linux Backdoor](/static/build/img/news/xz-utils-supply-chain-attack-a-threat-actor-spent-two-years-to-implement-a-linux-backdoor-medium.jpg)
A threat actor quietly spent the last two years integrating themself in the core team of maintainers of XZ Utils, a free software command-line data compressor widely used in Linux systems.
The CVE-2024-3094 backdoor found in XZ Utils was implemented to interfere with authentication in SSHD, the OpenSSH server software that handles SSH connections.
How the XZ backdoor was implemented cautiously for more than years.
Finally, several persons responsible for different Linux distributions have been contacted by the attacker to include the backdoored versions of XZ Utils in their own distributions.
Richard WM Jones from RedHat wrote about it on a forum: "Very annoying - the apparent author of the backdoor was in communication with me over several weeks trying to get xz 5.6.x added to Fedora 40 & 41 because of it's 'great new features'. We even worked with him to fix the valgrind issue. We had to race last night to fix the problem after an inadvertent break of the embargo. He has been part of the xz project for 2 years, adding all sorts of binary test files, and to be honest with this level of sophistication I would be suspicious of even older versions of xz until proven otherwise".
Figure A. The backdoor is composed of several parts that have been included over multiple commits on the XZ Utils GitHub, described in depth by Freund.
News URL
https://www.techrepublic.com/article/xz-backdoor-linux/
Related news
- Kaspersky releases free tool that scans Linux for known threats (source)
- Third-Party Cyber Attacks: The Threat No One Sees Coming – Here's How to Stop Them (source)
- New ARM 'TIKTAG' attack impacts Google Chrome, Linux systems (source)
- Polyfill.io JavaScript supply chain attack impacts over 100K sites (source)
- Plugins on WordPress.org backdoored in supply chain attack (source)
- Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack (source)
- Critical Flaws in CocoaPods Expose iOS and macOS Apps to Supply Chain Attacks (source)
- 'Almost every Apple device' vulnerable to CocoaPods supply chain attack (source)
- Millions of Apple Applications Were Vulnerable to CocoaPods Supply Chain Attack (source)
- 60 New Malicious Packages Uncovered in NuGet Supply Chain Attack (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-03-29 | CVE-2024-3094 | Embedded Malicious Code vulnerability in Tukaani XZ 5.6.0/5.6.1 Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. | 10.0 |