ITA | ENG

The Void Paradox

Where the profound darkness and reality convergence

AuthorNewsletter AboutContactsHome

Deadly Compression

Dear readers, welcome to this new adventure of knowledge, where we delve into the complex and fascinating world of computer science and cybersecurity. Throughout 2021, this sector was hit by an unexpected storm. A flaw in the Java Apache Log4j 2 logging system, known as “Log4Shell,” threw developers into a whirlwind of panic. Considered the most critical vulnerability of the past decade, it forced experts worldwide to review millions of applications, frantically updating them to ensure their security.

In this article, we will explore together the causes, implications, and solutions adopted to tackle this global emergency. Enjoy the read!

Now, imagine a flaw as serious as Log4Shell, but a thousand times more devastating, capable of threatening almost every computer system on the planet. Yes, you heard that right.

A group of hackers, whose identity remains shrouded in mystery, inserted malicious code into the open-source library XZ Utils, a command-line tool used for data compression, widely adopted in major Linux distributions.

The Discovery by Andres Freund

March 29, 2024. It’s a day like any other for Andres Freund, a Microsoft engineer and PostgreSQL developer. Sitting at his desk, he immerses himself in his micro-benchmarking, trying to optimize the performance of the beta version of Debian Linux. But something doesn’t add up. Freund notices that the SSH security code is unusually slow.

“I was trying to reduce the background noise in the system,” Freund stated in a post on Mastodon. “I noticed that the sshd processes were surprisingly using a lot of CPU, even though they were immediately failing due to incorrect usernames.”

Subsequent investigations reveal the incredible truth: an XZ Utils maintainer, Jia Tan, had inserted a backdoor into the code. This “malware” acts as a remote code execution, allowing cybercriminals to take control of all Linux systems globally.

The Spread of Malicious Code

The compromised versions of XZ Utils, identified as CVE-2024-3094, receive a CVSS score of 10.0, indicating maximum severity. The affected versions, 5.6.0 and 5.6.1 of XZ Utils, are now synonymous with terror in the computing world. Fortunately, the malicious code did not appear in any production Linux distribution, only in unstable and beta editions of Fedora, Debian, Kali, openSUSE, and Arch Linux.

The Discovery by Andres Freund

March 29, 2024. It’s a day like any other for Andres Freund, a Microsoft engineer and PostgreSQL developer. Sitting at his desk, he immerses himself in his micro-benchmarking, trying to optimize the performance of the beta version of Debian Linux. But something doesn’t add up. Freund notices that the SSH security code is unusually slow.

“I was trying to reduce the background noise in the system,” Freund stated in a post on Mastodon. “I noticed that the sshd processes were surprisingly using a lot of CPU, even though they were immediately failing due to incorrect usernames.”

Subsequent investigations reveal the incredible truth: an XZ Utils maintainer, Jia Tan, had inserted a backdoor into the code. This “malware” acts as a remote code execution, allowing cybercriminals to take control of all Linux systems globally.

The Spread of Malicious Code

The compromised versions of XZ Utils, identified as CVE-2024-3094, receive a CVSS score of 10.0, indicating maximum severity. The affected versions, 5.6.0 and 5.6.1 of XZ Utils, are now synonymous with terror in the computing world. Fortunately, the malicious code did not appear in any production Linux distribution, only in unstable and beta editions of Fedora, Debian, Kali, openSUSE, and Arch Linux.

The Devious Plan

But how was this possible? The answer is as simple as it is unsettling: social engineering. The original maintainer of XZ Utils, Lasse Collin, was extremely busy with other projects. Since XZ Utils is an open-source project, anyone could contribute. However, the project was not adequately maintained.

This is where Jia Tan comes into play. He offers to help as a co-maintainer, recommended by various accomplices who praise his previous contributions. In 2021, Tan was added as a co-manager of the project and since then introduced numerous code changes.

The Fall of XZ Utils

When the vulnerability, dubbed “XZ Outbreak,” becomes public knowledge, GitHub suspends the project and the GitHub accounts of both Collin and Tan. Collin, the original maintainer, is on vacation when the incident is discovered and reported. As soon as he becomes aware, he posts it on his blog, updating it as he learns new details.

Thomas Roccia, a threat researcher at Microsoft, publishes a detailed infographic on the events related to “XZ Outbreak” on X. The images, accompanied by incisive comments, go viral within hours.

The Wisdom of the Hackers

Freund’s accidental discovery of this supply chain attack averted a security disaster of epic proportions. However, the computing community is shaken. In an increasingly interconnected world, the words of Kevin Mitnick resonate as a warning:

“Companies spend millions of dollars on firewalls, encryption and secure access devices, and it’s money wasted; none of these measures address the weakest link in the security chain.”

cyb3rdm0n
,
, , , , , , , , , ,
Share
Copia il link
×

On this website we use first or third-party tools that store small files (<i>cookie</i>) on your device. Cookies are normally used to allow the site to run properly (<i>technical cookies</i>), to generate navigation usage reports (<i>statistics cookies</i>) and to suitable advertise our services/products (<i>profiling cookies</i>). We can directly use technical cookies, but <u>you have the right to choose whether or not to enable statistical and profiling cookies</u>. <b>Enabling these cookies, you help us to offer you a better experience</b>.