Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   State-sponsored hackers inject malware into "XZ" library (https://forum.exetools.com/showthread.php?t=20894)

blue_devil 03-31-2024 02:46
State-sponsored hackers inject malware into "XZ" library
 
A Microsoft employee unintentionally discovered that SSH is a little slow! This triggered him to make a performance test then he realized that a guy is injected a malware into the liblzma lossless compression library.

OpenSSH doesn't need xz-utils as a dependency; but distros which -unfortunately- uses systemd have to patch OpenSSH to support systemd.

There is a long debate started and going on social media for the last 24 hours. But I want to clear one point: when hackers are from China/North Korea/Russia/Iran, infosec community immediately reveal this information. They "emphatically" say where they are from. On the other hand if the hackers are not from those countries they the hackers are only `state-sponsored`! State sponsored but which state? Nobody is talking this issue :D

Read the full mailing on Openwall:
Code:
https://www.openwall.com/lists/oss-security/2024/03/29/4
A very nice blog post from lcamtuf:
Code:
https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
A nice thread on bird-site:
Code:
https://twitter.com/_ruby/status/1774073953440747664
If you are interested in state-sponsored-hackers, better check my toot:
Code:
https://infosec.exchange/@bluedevil/112185519485326084

chants 04-02-2024 12:21
What is absolutely ingenious is that they put the payload into a test blob as it looks like merely garbage being used for automated testing to verify liblzma. Basically an innocuous place noone would think to look or cate about. Some of the bash scripts are fascinating in this. What's interesting is that the Microsoft engineer noticed a 0.5 second delay in SSH because a mistake was made, and fir whatever reason the engineer managed to investigate and pinpoint that it is a backdoor. The whole thing is pretty amazing. Makes you wonder how many other open source projects are backdoored but noone noticed or investigated. Kind of scary.

blue_devil 04-02-2024 14:28
Quote:
Originally Posted by chants (Post 130508)
Makes you wonder how many other open source projects are backdoored but noone noticed or investigated. Kind of scary.
This is what I am talking about

If you are interested in state-sponsored-hackers. You should also read how Ken Thompson injected a virus to a compiler.

Code:
https://wiki.c2.com/?TheKenThompsonHack
From the article: "Not only did his compiler know it was compiling the login function and inject a backdoor, but it also knew when it was compiling itself and injected the backdoor generator into the compiler it was creating. The source code for the compiler thereafter contains no evidence of either virus."

NON 04-02-2024 19:25
notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)
 
Quote:
Originally Posted by blue_devil (Post 130490)
A Microsoft employee unintentionally discovered that SSH is a little slow! This triggered him to make a performance test then he realized that a guy is injected a malware into the liblzma lossless compression library.

OpenSSH doesn't need xz-utils as a dependency; but distros which -unfortunately- uses systemd have to patch OpenSSH to support systemd.

There is a long debate started and going on social media for the last 24 hours. But I want to clear one point: when hackers are from China/North Korea/Russia/Iran, infosec community immediately reveal this information. They "emphatically" say where they are from. On the other hand if the hackers are not from those countries they the hackers are only `state-sponsored`! State sponsored but which state? Nobody is talking this issue :D

Read the full mailing on Openwall:
Code:
https://www.openwall.com/lists/oss-security/2024/03/29/4
A very nice blog post from lcamtuf:
Code:
https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
A nice thread on bird-site:
Code:
https://twitter.com/_ruby/status/1774073953440747664
If you are interested in state-sponsored-hackers, better check my toot:
Code:
https://infosec.exchange/@bluedevil/112185519485326084
Some more very nice informations on this:


xzbot
Quote:
https://github.com/amlweems/xzbot
Exploration of the xz backdoor (CVE-2024-3094). Includes the following:
  • honeypot: fake vulnerable server to detect exploit attempts
  • ed448 patch: patch liblzma.so to use our own ED448 public key
  • backdoor format: format of the backdoor payload
  • backdoor demo: cli to trigger the RCE assuming knowledge of the ED448 private key

wx69wx2023 04-02-2024 23:46
the xz project has been delete by github,can not be seen,this is the last soure code,you guys could analyze it.

https://od.cloudsploit.top/api/raw/?path=/temp/xz-5.6.1.tar.gz

X0rby 04-03-2024 08:22
Quote:
Originally Posted by wx69wx2023 (Post 130524)
the xz project has been delete by github,can not be seen,this is the last soure code,you gays could analyze it.

https://od.cloudsploit.top/api/raw/?path=/temp/xz-5.6.1.tar.gz
guys*‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎

Souldream 04-08-2024 19:41
Quote:
Originally Posted by blue_devil (Post 130490)
There is a long debate started and going on social media for the last 24 hours. But I want to clear one point: when hackers are from China/North Korea/Russia/Iran, infosec community immediately reveal this information. They "emphatically" say where they are from. On the other hand if the hackers are not from those countries they the hackers are only `state-sponsored`! State sponsored but which state? Nobody is talking this issue :D
Because in China / Russia & North Korea ... this is far better !
Nobody is talking this issue ... ho yes in russia you can get 6 months of jail just for writting 'War' ...


All times are GMT +8. The time now is 20:30.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX