State-sponsored hackers inject malware into "XZ" library

[blue_devil]

A Microsoft employee unintentionally discovered that SSH is a little slow! This triggered him to make a performance test then he realized that a guy is injected a malware into the liblzma lossless compression library.

OpenSSH doesn't need xz-utils as a dependency; but distros which -unfortunately- uses systemd have to patch OpenSSH to support systemd.

There is a long debate started and going on social media for the last 24 hours. But I want to clear one point: when hackers are from China/North Korea/Russia/Iran, infosec community immediately reveal this information. They "emphatically" say where they are from. On the other hand if the hackers are not from those countries they the hackers are only `state-sponsored`! State sponsored but which state? Nobody is talking this issue

Read the full mailing on Openwall:

Code:

https://www.openwall.com/lists/oss-security/2024/03/29/4

A very nice blog post from lcamtuf:

Code:

https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor

A nice thread on bird-site:

Code:

https://twitter.com/_ruby/status/1774073953440747664

If you are interested in state-sponsored-hackers, better check my toot:

Code:

https://infosec.exchange/@bluedevil/112185519485326084