someone just saved the entire internet – the (yet) most sophisticated software supply chain attack on Open Source aka the xz binary blob attack on GNU Linux (CVE-2024-3094)

04.Apr.2024

crazy stuff, Cyber, Cybercrime, CyberSec / ITSec / Sicherheit / Security / SPAM, Cyberwar, internet, Open Source, OpenSource

it might be the biggest “cyber” story of the year 2024 already: buy this guy MANY MANY COFFEES! he spotted the problem via know how but also luck 😀

https://mastodon.social/@AndresFreundTec https://www.youtube.com/watch?v=LaRKIwpGPTU
it was a VERY VERY LONG and WILD COMPLEX and HIGHLY SOPHISTICATED (OBFUSCATED) OPERATION
it was spotted completely by accident from am M$ developer (?) 😀 (thanks M$ for hiring such people! 🙂
bad actor (possible a state sponsored actor) with pseudonyms “Jigar Kumar” “Jia Tan” found a burned out open source maintainer-developer and offered to help
https://www.mail-archive.com/xz-devel@tukaani.org/msg00566.html
https://www.youtube.com/watch?v=0pT-dWpmwhA

possible solutions:

mankind really has to
- value the value of Open Source
- get organized to avoid such problems in the future
- the “multi eye ball” principle worked in this case but more or less by accident, because the attack was sophisticated, long-term and highly obfuscated

how to manually start sshd:

hostnamectl; # tested on
Operating System: Debian GNU/Linux 12 (bookworm) 
Kernel: Linux 6.1.0-18-amd64
Architecture: x86-64

service ssh stop

mkdir /run/sshd; time env -i LANG=C /usr/sbin/sshd -h /etc/ssh/ssh_host_ed25519_key;
real 0m0.006s
ps uax|grep ssh

killall sshd

mkdir /run/sshd; time env -i LANG=C TERM=bla /usr/sbin/sshd -h /etc/ssh/ssh_host_ed25519_key;
real 0m0.006s
ps uax|grep ssh
killall sshd

Links:

“In the cybersecurity world, a database engineer inadvertently finding a backdoor in a core Linux feature is a little like a bakery worker who smells a freshly baked loaf of bread, senses something is off and correctly deduces that someone has tampered with the entire global yeast supply.”

https://www.nytimes.com/2024/04/03/technology/prevent-cyberattack-linux.html

“Andre’s friend discovers hacker attack This Berliner (38) has saved the Internet” (src)
very detailed info on how this backdoor “at some point an .o file is extracted and weaved into the compilation/linking process”
the CVE-2024-3094 story is EVERYWHERE
- https://www.economist.com/science-and-technology/2024/04/02/a-stealth-attack-came-close-to-compromising-the-worlds-computers
- https://www.theguardian.com/commentisfree/2024/apr/06/xz-utils-linux-malware-open-source-software-cyber-attack-andres-freund
https://robmensching.com/blog/posts/2024/03/30/a-microcosm-of-the-interactions-in-open-source-projects/
https://tukaani.org/xz-backdoor/
https://git.tukaani.org

liked this article?

only together we can create a truly free world
plz support dwaves to keep it up & running!
(yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
really really hate advertisement
contribute: whenever a solution was found, blog about it for others to find!
talk about, recommend & link to this blog and articles
thanks to all who contribute!

admin