#1
|
||||
|
||||
State-sponsored hackers inject malware into "XZ" library
A Microsoft employee unintentionally discovered that SSH is a little slow! This triggered him to make a performance test then he realized that a guy is injected a malware into the liblzma lossless compression library.
OpenSSH doesn't need xz-utils as a dependency; but distros which -unfortunately- uses systemd have to patch OpenSSH to support systemd. There is a long debate started and going on social media for the last 24 hours. But I want to clear one point: when hackers are from China/North Korea/Russia/Iran, infosec community immediately reveal this information. They "emphatically" say where they are from. On the other hand if the hackers are not from those countries they the hackers are only `state-sponsored`! State sponsored but which state? Nobody is talking this issue Read the full mailing on Openwall: Code:
https://www.openwall.com/lists/oss-security/2024/03/29/4 Code:
https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor Code:
https://twitter.com/_ruby/status/1774073953440747664 Code:
https://infosec.exchange/@bluedevil/112185519485326084 |
The Following User Gave Reputation+1 to blue_devil For This Useful Post: | ||
Fyyre (04-11-2024) |
#2
|
|||
|
|||
What is absolutely ingenious is that they put the payload into a test blob as it looks like merely garbage being used for automated testing to verify liblzma. Basically an innocuous place noone would think to look or cate about. Some of the bash scripts are fascinating in this. What's interesting is that the Microsoft engineer noticed a 0.5 second delay in SSH because a mistake was made, and fir whatever reason the engineer managed to investigate and pinpoint that it is a backdoor. The whole thing is pretty amazing. Makes you wonder how many other open source projects are backdoored but noone noticed or investigated. Kind of scary.
|
The Following 2 Users Say Thank You to chants For This Useful Post: | ||
blue_devil (04-02-2024), uranus64 (04-02-2024) |
#3
|
||||
|
||||
Quote:
If you are interested in state-sponsored-hackers. You should also read how Ken Thompson injected a virus to a compiler. Code:
https://wiki.c2.com/?TheKenThompsonHack |
#4
|
|||
|
|||
notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)
Quote:
xzbot Quote:
|
#5
|
|||
|
|||
the xz project has been delete by github,can not be seen,this is the last soure code,you guys could analyze it.
https://od.cloudsploit.top/api/raw/?path=/temp/xz-5.6.1.tar.gz Last edited by wx69wx2023; 04-03-2024 at 13:05. |
The Following User Says Thank You to wx69wx2023 For This Useful Post: | ||
Fyyre (04-11-2024) |
#6
|
|||
|
|||
guys*
|
The Following User Says Thank You to X0rby For This Useful Post: | ||
wx69wx2023 (04-03-2024) |
#7
|
|||
|
|||
Quote:
Nobody is talking this issue ... ho yes in russia you can get 6 months of jail just for writting 'War' ... |
Tags |
liblzma, state sponsored hackers, trojan, xz lossless compression |
Thread Tools | |
Display Modes | |
|
|