“Test files” associated with the XZ Utils backdoor have made their way to a Rust crate known as liblzma-sys, new findings from Phylum reveal.

liblzma-sys, which has been downloaded over 21,000 times to date, provides Rust developers with bindings to the liblzma implementation, an underlying library that is part of the XZ Utils data compression software. The impacted version in question is 0.3.2.

“The current distribution (v0.3.2) on Crates.io contains the test files for XZ that contain the backdoor,” Phylum noted in a GitHub issue raised on April 9, 2024.

“The test files themselves are not included in either the .tar.gz nor the .zip tags here on GitHub and are only present in liblzma-sys_0.3.2.crate that is installed from Crates.io.”

Following responsible disclosure, the files in question (“tests/files/bad-3-corrupt_lzma2.xz” and “tests/files/good-large_compressed.lzma”) have since been removed from liblzma-sys version 0.3.3 released on April 10. The previous version of the crate has been pulled from the registry.

“The malicious tests files were committed upstream, but due to the malicious build instructions not being present in the upstream repository, they were never called or executed,” Snyk said in an advisory of its own.

The backdoor in XZ Utils was discovered in late March when Microsoft engineer Andres Freund identified malicious commits to the command-line utility impacting versions 5.6.0 and 5.6.1 released in February and March 2024, respectively. The popular package is integrated into many Linux distributions.

The code commits, made by a now-suspended GitHub user named JiaT75 (aka Jia Tan), essentially made it possible to circumvent authentication controls within SSH to execute code remotely, potentially allowing the operators to take over the system.

“The overall compromise spanned over two years,” SentinelOne researchers Sarthak Misraa and Antonio Pirozzi said in an analysis published this week. “Under the alias Jia Tan, the actor began contributing to the xz project on October 29, 2021.”

“Initially, the commits were innocuous and minor. However, the actor gradually became a more active contributor to the project, steadily gaining reputation and trust within the community.”

According to Russian cybersecurity company Kaspersky, the trojanized changes take the form of a multi-stage operation.

“The source code of the build infrastructure that generated the final packages was slightly modified (by introducing an additional file build-to-host.m4) to extract the next stage script that was hidden in a test case file (bad-3-corrupt_lzma2.xz),” it said.

“These scripts in turn extracted a malicious binary component from another test case file (good-large_compressed.lzma) that was linked with the legitimate library during the compilation process to be shipped to Linux repositories.”

The payload, a shell script, is responsible for the extraction and the execution of the backdoor, which, in turn, hooks into specific functions – RSA_public_decrypt, EVP_PKEY_set1_RSA, and RSA_get0_key – that will allow it to monitor every SSH connection to the infected machine.

The primary goal of the backdoor slipped into liblzma is to manipulate Secure Shell Daemon (sshd) and monitor for commands sent by an attacker at the start of an SSH session, effectively introducing a way to achieve remote code execution.

While the early discovery of the backdoor averted what could have been a widespread compromise of the Linux ecosystem, the development is once again a sign that open-source package maintainers are being targeted by social engineering campaigns with the goal of staging software supply chain attacks.

In this case, it materialized in the form of a coordinated activity that presumably featured several sockpuppet accounts that orchestrated a pressure campaign aimed at forcing the project’s longtime maintainer to bring on board a co-maintainer to add more features and address issues.

“The flurry of open source code contributions and related pressure campaigns from previously unknown developer accounts suggests that a coordinated social engineering campaign using phony developer accounts was used to sneak malicious code into a widely used open-source project,” ReversingLabs said.

SentinelOne researchers revealed that the subtle code changes made by JiaT75 between versions 5.6.0 and 5.6.1 suggest that the modifications were engineered to enhance the backdoor’s modularity and plant more malware.

As of April 9, 2024, the source code repository associated with XZ Utils has been restored on GitHub, nearly two weeks after it was disabled for a violation of the company’s terms of service.

The attribution of the operation and the intended targets are currently unknown, although in light of the planning and sophistication behind it, the threat actor is suspected to be a state-sponsored entity.

“It’s evident that this backdoor is highly complex and employs sophisticated methods to evade detection,” Kaspersky said.

Apr 02, 2024NewsroomFirmware Security / Vulnerability

The malicious code inserted into the open-source library XZ Utils, a widely used package present in major Linux distributions, is also capable of facilitating remote code execution, a new analysis has revealed.

The audacious supply chain compromise, tracked as CVE-2024-3094 (CVSS score: 10.0), came to light last week when Microsoft engineer and PostgreSQL developer Andres Freund alerted to the presence of a backdoor in the data compression utility that gives remote attackers a way to sidestep secure shell authentication and gain complete access to an affected system.

XZ Utils is a command-line tool for compressing and decompressing data in Linux and other Unix-like operating systems.

The malicious code is said to have been deliberately introduced by one of the project maintainers named Jia Tan (aka Jia Cheong Tan or JiaT75) in what appears to be a meticulous attack spanning multiple years. The GitHub user account was created in 2021. The identity of the actor(s) is presently unknown.

“The threat actor started contributing to the XZ project almost two years ago, slowly building credibility until they were given maintainer responsibilities,” Akamai said in a report.

In a further act of clever social engineering, sockpuppet accounts like Jigar Kumar and Dennis Ens are believed to have been used to send feature requests and report a variety of issues in the software in order to force the original maintainer – Lasse Collin of the Tukaani Project – to add a new co-maintainer to the repository.

Enter Jia Tan, who introduced a series of changes to XZ Utils in 2023, which eventually made their way to release version 5.6.0 in February 2024. They also harbored a sophisticated backdoor.

“As I have hinted in earlier emails, Jia Tan may have a bigger role in the project in the future,” Collin said in an exchange with Kumar in June 2022.

“He has been helping a lot off-list and is practically a co-maintainer already. I know that not much has happened in the git repository yet but things happen in small steps. In any case some change in maintainership is already in progress at least for XZ Utils.”

The backdoor affects XZ Utils 5.6.0 and 5.6.1 release tarballs, the latter of which contains an improved version of the same implant. Collins has since acknowledged the project’s breach, stating both the tarballs were created and signed by Jia Tan and that they had access only to the now-disabled GitHub repository.

“This is clearly a very complex state-sponsored operation with impressive sophistication and multi-year planning,” firmware security company Binarly said. “Such a complex and professionally designed comprehensive implantation framework is not developed for a one-shot operation.”

A deeper examination of the backdoor by open-source cryptographer Filippo Valsorda has also revealed that the affected versions allow specific remote attackers to send arbitrary payloads through an SSH certificate which will be executed in a manner that circumvents authentication protocols, effectively seizing control over the victim machine.

“It appears as though the backdoor is added to the SSH daemon on the vulnerable machine, enabling a remote attacker to execute arbitrary code,” Akamai said. “This means that any machine with the vulnerable package that exposes SSH to the internet is potentially vulnerable.”

Needless to say, the accidental discovery by Freund is one of the most significant supply chain attacks discovered to date and could have been a severe security disaster had the package been integrated into stable releases of Linux distributions.

“The most notable part of this supply chain attack is the extreme levels of dedication of the attacker, working more than two years to establish themselves as a legitimate maintainer, offering to pick up work in various OSS projects and committing code across multiple projects in order to avoid detection,” JFrog said.

As with the case of Apache Log4j, the incident once again highlights the reliance on open-source software and volunteer-run projects, and the consequences that could entail should they suffer a compromise or have a major vulnerability.

“The bigger ‘fix’ is for organizations to adopt tools and processes that allow them to identify signs of tampering and malicious features within both open source and commercial code used in their own development pipeline,” ReversingLabs said.

Mar 30, 2024NewsroomLinux / Supply Chain Attack

RedHat on Friday released an “urgent security alert” warning that two versions of a popular data compression library called XZ Utils (previously LZMA Utils) have been backdoored with malicious code designed to allow unauthorized remote access.

The software supply chain compromise, tracked as CVE-2024-3094, has a CVSS score of 10.0, indicating maximum severity. It impacts XZ Utils versions 5.6.0 (released February 24) and 5.6.1 (released March 9).

“Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code,” the IBM subsidiary said in an advisory.

“This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.”

Specifically, the nefarious code baked into the code is designed to interfere with the sshd daemon process for SSH (Secure Shell) via the systemd software suite, and potentially enable a threat actor to break sshd authentication and gain unauthorized access to the system remotely “under the right circumstances.”

Microsoft security researcher Andres Freund has been credited with discovering and reporting the issue on Friday. The heavily obfuscated malicious code is said to have been introduced over a series of four commits to the Tukaani Project on GitHub by a user named JiaT75.

“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,” Freund said. “Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the ‘fixes.'”

Microsoft-owned GitHub has since disabled the XZ Utils repository maintained by the Tukaani Project “due to a violation of GitHub’s terms of service.” There are currently no reports of active exploitation in the wild.

Evidence shows that the packages are only present in Fedora 41 and Fedora Rawhide, and do not impact Red Hat Enterprise Linux (RHEL), Debian Stable, Amazon Linux, and SUSE Linux Enterprise and Leap.

Out of an abundance of caution, Fedora Linux 40 users have been recommended to downgrade to a 5.4 build. Some of the other Linux distributions impacted by the supply chain attack are below –

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert of its own, urging users to downgrade XZ Utils to an uncompromised version (e.g., XZ Utils 5.4.6 Stable).