Hacker superhero and sidekicks saved the Internet this Easter weekend

A bit more info. The Red Hat security alert states:

"The malicious injection present in the xz versions 5.6.0 and 5.6.1 libraries is obfuscated and only included in full in the download package - the Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present.

The resulting malicious build interferes with authentication in sshd via systemd. SSH is a commonly used protocol for connecting remotely to systems, and sshd is the service that allows access. Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely."
 
Sorry but it sounds more like people got lax here. You don't trust a single random person to maintain something. Even with official developers you can examine the source code and compile it yourself. Did multiple other people not compile it under the same stated conditions and realise they got a different result?
 
Sorry but it sounds more like people got lax here. You don't trust a single random person to maintain something. Even with official developers you can examine the source code and compile it yourself. Did multiple other people not compile it under the same stated conditions and realise they got a different result?
The person played the long game by submitting valid code and gaining trust and then after what sounds like a couple of years the contributor injected the malicious code
 
Sorry but it sounds more like people got lax here. You don't trust a single random person to maintain something. Even with official developers you can examine the source code and compile it yourself. Did multiple other people not compile it under the same stated conditions and realise they got a different result?
The guy was hiding the source and it was only in certain x86 builds.
 
At least show us the code git!
View attachment 1685011
Git disabled the account immediately under the terms of service that backdoor'd code is not allowed. Kinda closing the barn door thing.

When i last spoke to Lasse he was still waiting for Git to re-enable it but they won't immediately. He's working heavily on releasing 5.8.0 and getting it stable and back on Github again - this after returning from an internet break so its very much a case of being thrown into the deep end big time.

Its also not fair blame Lasse directly. He developed something for the community which, because it worked well, was picked-up and used in many many places. However as is the case with many such projects, despite being a dependency in a variety of commercial tools and systems, no one offered him funding nor help - he ran it alone for a long time. It was just trusted and used. Until the pressure to get someone to make changes caused him to look for someone and it appears that's how this nation-state-sponsored attack has occurred. They obviously knew he was looking, and so over time gained his trust under this pseudonym Jia Tan that's probably not even one person but many in the team.

A specific key must be passed with the authentication payload which if it matches, is then run on the system - otherwise it is past to the normal auth libraries and so you wouldn't know the difference. It remains very interesting to see one day what the motive was because this was long-haul attack vector with lots of patience.

Although they did get a bit urgent with commits towards the end of March, more and more were occurring as though they were aiming for a specific period but that could be hearsay.

There's already YARA rules to detect if the compromised build is on your system.

As mentioned, rolling-releases like Kali are affected but if you're running Kali and pointing SSH on it to the Internet you have bigger problems in life lol.
 
  • Like
Reactions: Jan
Git disabled the account immediately under the terms of service that backdoor'd code is not allowed. Kinda closing the barn door thing.

When i last spoke to Lasse he was still waiting for Git to re-enable it but they won't immediately. He's working heavily on releasing 5.8.0 and getting it stable and back on Github again - this after returning from an internet break so its very much a case of being thrown into the deep end big time.

Its also not fair blame Lasse directly. He developed something for the community which, because it worked well, was picked-up and used in many many places. However as is the case with many such projects, despite being a dependency in a variety of commercial tools and systems, no one offered him funding nor help - he ran it alone for a long time. It was just trusted and used. Until the pressure to get someone to make changes caused him to look for someone and it appears that's how this nation-state-sponsored attack has occurred. They obviously knew he was looking, and so over time gained his trust under this pseudonym Jia Tan that's probably not even one person but many in the team.

A specific key must be passed with the authentication payload which if it matches, is then run on the system - otherwise it is past to the normal auth libraries and so you wouldn't know the difference. It remains very interesting to see one day what the motive was because this was long-haul attack vector with lots of patience.

Although they did get a bit urgent with commits towards the end of March, more and more were occurring as though they were aiming for a specific period but that could be hearsay.

There's already YARA rules to detect if the compromised build is on your system.

As mentioned, rolling-releases like Kali are affected but if you're running Kali and pointing SSH on it to the Internet you have bigger problems in life lol.
You right. I refuse to trust Kali.
I build a container or VM with only what I need then tear it down.
All those tools on one platform? What can go wrong???
I feel for Lasse. Deserves a break.
 
  • Like
Reactions: Jan
You right. I refuse to trust Kali.
I build a container or VM with only what I need then tear it down.
All those tools on one platform? What can go wrong???
I feel for Lasse. Deserves a break.
Yeah Kali's use case is not for a permanently hosted system, its to be spun-up and used on-demand.
 
The person played the long game by submitting valid code and gaining trust and then after what sounds like a couple of years the contributor injected the malicious code
Don't trust anyone. Especially with such critical widely used systems have the parameters specified and if others can't get the same result it should be discarded. This is especially the situation that open source is supposed to avoid.
 

This video delves into the social engineering used to break the maintainer's mental state down and opened up the door for the bad actor to take over
 
Top
Sign up to the MyBroadband newsletter
X