{"id":3253,"date":"2024-04-24T15:55:13","date_gmt":"2024-04-24T20:55:13","guid":{"rendered":"https:\/\/www.darkreading.com\/application-security\/attacker-social-engineered-backdoor-code-into-xz-utils"},"modified":"2024-04-24T15:55:13","modified_gmt":"2024-04-24T20:55:13","slug":"attacker-social-engineered-backdoor-code-into-xz-utils","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/04\/24\/attacker-social-engineered-backdoor-code-into-xz-utils\/","title":{"rendered":"Attacker Social-Engineered Backdoor Code Into XZ Utils"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

An adversary doesn’t need sophisticated technical skills to execute a broad software supply chain attack like the ones experienced by SolarWinds and CodeCov. Sometimes, all it takes is a little bit of time and ingenius social engineering.<\/span><\/p>\n

That appears to have been the case with whoever introduced a backdoor in the <\/span>XZ Utils open source data compression utility<\/a><\/span> in Linux systems earlier this year. <\/span>Analysis of the incident<\/a><\/span> from Kaspersky this week, and similar reports from others in recent days, identified the attacker as relying almost entirely on social manipulation to <\/span>slip the backdoor<\/a><\/span> into the utility.<\/span><\/p>\n

Social Engineering the Open Source Software Supply Chain<\/h2>\n

Ominously, it may be a model that attackers are using to slip similar malware into other widely used open source projects and components.<\/span><\/p>\n

In an alert last week, the Open Source Security Foundation (OSSF) warned of the XZ Utils attack likely not being an isolated incident. The advisory identified at least one other instance where an <\/span>adversary employed tactics similar to the one used on XZ Utils<\/a><\/span> to take over the OpenJS Foundation for JavaScript projects.<\/span><\/p>\n

“The OSSF and OpenJS Foundations are calling all open source maintainers to be alert for social engineering takeover attempts, to recognize the early threat patterns emerging, and to take steps to protect their open source projects,” the OSSF alert said.<\/span><\/p>\n

A developer from Microsoft discovered the backdoor in newer versions of an XZ library called liblzma while investigating odd behavior around a Debian installation. At the time, only unstable and beta releases of Fedora, Debian, Kali, openSUSE, and Arch Linux versions had the backdoored library, meaning it was virtually a non-issue for most Linux users.<\/span><\/p>\n

But the manner in which the attacker introduced the backdoor is especially troubling, Kasperksy said. “One of the key differentiators of the SolarWinds incident from prior supply chain attacks was the adversary\u2019s covert, prolonged access to the source\/development environment,” Kaspersky said. “In this XZ Utils incident, this prolonged access was obtained via social engineering and extended with fictitious human identity interactions in plain sight.”<\/span><\/p>\n

A Low and Slow Attack<\/h2>\n

The attack appears to have begun in October 2021, when an individual using the handle “Jia Tan” submitted an innocuous patch to the single-person XZ Utils project. Over the next few weeks and months, the Jia Tan account submitted multiple similar harmless patches (described in detail in this <\/span>timeline<\/a><\/span>) to the XZ Utils project, which its sole maintainer, an individual named Lasse Collins, eventually began merging into the utility.<\/span><\/p>\n

Starting in April 2022, a couple of other personas \u2014 one using the handle “Jigar Kumar” and the other “Dennis Ens” \u2014 began sending emails to Collins, pressuring him to integrate Tan’s patches into XZ Utils at a faster pace.<\/span><\/p>\n

The Jigar Kumar and Dennis Ens personas gradually ratcheted up the pressure on Collins, eventually asking him to add another maintainer to the project. Collins at one point reaffirmed his interest in maintaining the project but confessed to being constrained by “long-term mental health issues.” Eventually, Collins succumbed to the pressure from Kumar and Ens and gave Jia Tan commit access to the project and the authority to make changes to the code.<\/span><\/p>\n

“Their goal was to grant full access to XZ Utils source code to Jia Tan and subtly introduce malicious code into XZ Utils,” Kaspersky said. “The identities even interact with one another on mail threads, complaining about the need to replace Lasse Collin as the XZ Utils maintainer.” The different personas in the attack \u2014 Jia Tan, Jigar Kumar, and Dennis Ens \u2014 appear to have deliberately been made to look like they were from different geographies, to dispel any doubts about their working in concert. Another individual, or persona, Hans Jansen, surfaced briefly in June 2023 with some new performance optimization code for XZ Utils that ended up being integrated into the utility.<\/span><\/p>\n

A Wide Cast of Actors<\/h2>\n

Jia Tan introduced the backdoor binary into the utility in February 2024 after gaining control of the XZ Util maintenance tasks. Following that, the Jansen character resurfaced \u2014 along with two other personas \u2014 each pressuring major Linux distributors to introduce the backdoored utility into their distribution, Kasperksy said.<\/span><\/p>\n

What’s not entirely clear is if the attack involved a small team of actors or a single individual who successfully managed several<\/span> <\/span><\/span>identities and manipulated the maintainer into giving them the right to make code changes to the project.<\/span><\/p>\n

Kurt Baumgartner, principal researcher at Kaspersky\u2019s global research and analysis team, tells Dark Reading that additional data sources, including login and netflow data, could help aid in the investigation of the identities involved in the attack. “The world of open source is a wildly open one,” he says, “enabling murky identities to contribute questionable code to projects that are major dependencies.”<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

An adversary doesn’t need sophisticated technical skills to execute a<\/p>\n","protected":false},"author":12,"featured_media":3254,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-3253","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/attacker-social-engineered-backdoor-code-into-xz-utils.jpg?fit=1000%2C667&ssl=1",1000,667,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/attacker-social-engineered-backdoor-code-into-xz-utils.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/attacker-social-engineered-backdoor-code-into-xz-utils.jpg?fit=300%2C200&ssl=1",300,200,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/attacker-social-engineered-backdoor-code-into-xz-utils.jpg?fit=640%2C427&ssl=1",640,427,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/attacker-social-engineered-backdoor-code-into-xz-utils.jpg?fit=640%2C427&ssl=1",640,427,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/attacker-social-engineered-backdoor-code-into-xz-utils.jpg?fit=1000%2C667&ssl=1",1000,667,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/attacker-social-engineered-backdoor-code-into-xz-utils.jpg?fit=1000%2C667&ssl=1",1000,667,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/attacker-social-engineered-backdoor-code-into-xz-utils.jpg?fit=1000%2C667&ssl=1",1000,667,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/attacker-social-engineered-backdoor-code-into-xz-utils.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/attacker-social-engineered-backdoor-code-into-xz-utils.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/attacker-social-engineered-backdoor-code-into-xz-utils.jpg?fit=1000%2C667&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3253","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=3253"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3253\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/3254"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=3253"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=3253"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=3253"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}