admin
Last updated on April 8th, 2024 at 11:12 am
This week’s newsletter covers a story about an unknown attacker who infiltrated Linux over Easter, nearly gaining access to millions of computers, until one developer, mildly inconvenienced, thwarted the attempt
How did you spend your Easter bank holiday? Did you perhaps thwart a globally destructive cyber-attack? No? Well, there’s always next time!
Over the weekend, a careful and nearly successful attempt to insert a backdoor into a widely used open-source software was inadvertently thwarted :
Researchers have uncovered a malicious backdoor in a compression tool that found its way into popular Linux distributions, such as those from Red Hat and Debian.
While the backdoor was identified before the malicious versions of xz Utils were included in the production versions of Linux, it “isn’t really impacting anyone in the real world,” according to Will Dormann, a senior vulnerability analyst at security firm Analygence. “BUT that’s only because it was discovered early due to bad actor sloppiness. Had it not been discovered, it would have been catastrophic for the world.”
The attempted hack represents a “supply chain” attack, where updates to a lesser-known compression tool included in certain Linux distributions were methodically manipulated. This free and open-source operating system nearly became the entry point for a backdoor to millions of computers. It remains uncertain whether the attacker aimed for a large-scale hacking campaign or a meticulously targeted attack on a specific user. The deliberate and meticulous nature of the attack has led some to speculate about the involvement of a state actor.
The backdoor was introduced into the tool by one of its two main developers, who had been actively contributing for three years and had become one of the two official maintainers over the past two years. While there is a possibility that the account was compromised, if it was, the takeover was executed cautiously: the malicious code was gradually added over an extended period, with seemingly plausible explanations provided each time. When the final backdoored version was ready, the same user went to the developer site for a popular Linux version, requesting that it use the updated version promptly, citing critical bug fixes.
It was a narrow miss from becoming public. The compromised version was included in beta releases of three Linux distributions and, for a brief period, in the main release of Kali Linux. During this time, it could allow someone with the correct private key to establish a new encrypted connection and take full control of the machine.
So, how was this detected? A Microsoft developer, Andres Freund, became frustrated with a system’s slow performance. This frustration arose while investigating why a system running a beta version of Debian, a Linux distribution, experienced delays in encrypted connections. The delay was a mere half a second for logins. Freund noticed that login times had increased from 0.3 seconds to 0.8 seconds, prompting him to delve into the system to identify the root cause of the issue.
The notion goes: many hands make light work, and many eyes make shallow bugs. This concept, however, doesn’t always hold true. Last month, we explored the ways in which the open-source community can fall short of its ideals:
Offering software for free has numerous benefits, but it often fails to provide sustainable funding for ongoing development. Various approaches have been tried to address this issue, such as models where the software is free but support is paid, or where large companies hire maintainers of critical open-source projects. Many projects have adopted a donation or sponsorship-based model, which can be effective for complex tasks but is less suitable for simple yet widely used components.
The incident involving xz Utils underscores the risks associated with relying on volunteer efforts to support critical digital infrastructure. A overwhelmed maintainer, lacking time for a side project, was pressured into accepting help, likely from the same group using fake names. This situation nearly resulted in a serious problem for the project.
However, it also highlights the benefits of the open-source approach. Supply chain attacks, while not unique to open source, can be addressed more effectively in this environment. Unlike closed businesses like Apple or Google, where discovering and fixing such attacks is extremely challenging for third parties, the transparent nature of open-source software allows for thorough examination and identification of issues like malicious backdoors.
