Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-31-2024, 02:46
blue_devil's Avatar
blue_devil blue_devil is offline
Family
 
Join Date: Dec 2011
Location: Observable Universe
Posts: 295
Rept. Given: 62
Rept. Rcvd 50 Times in 23 Posts
Thanks Given: 269
Thanks Rcvd at 423 Times in 141 Posts
blue_devil Reputation: 50
State-sponsored hackers inject malware into "XZ" library

A Microsoft employee unintentionally discovered that SSH is a little slow! This triggered him to make a performance test then he realized that a guy is injected a malware into the liblzma lossless compression library.

OpenSSH doesn't need xz-utils as a dependency; but distros which -unfortunately- uses systemd have to patch OpenSSH to support systemd.

There is a long debate started and going on social media for the last 24 hours. But I want to clear one point: when hackers are from China/North Korea/Russia/Iran, infosec community immediately reveal this information. They "emphatically" say where they are from. On the other hand if the hackers are not from those countries they the hackers are only `state-sponsored`! State sponsored but which state? Nobody is talking this issue

Read the full mailing on Openwall:
Code:
https://www.openwall.com/lists/oss-security/2024/03/29/4
A very nice blog post from lcamtuf:
Code:
https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
A nice thread on bird-site:
Code:
https://twitter.com/_ruby/status/1774073953440747664
If you are interested in state-sponsored-hackers, better check my toot:
Code:
https://infosec.exchange/@bluedevil/112185519485326084
Reply With Quote
The Following User Gave Reputation+1 to blue_devil For This Useful Post:
Fyyre (04-11-2024)
The Following 4 Users Say Thank You to blue_devil For This Useful Post:
chants (04-02-2024), darkBLACK (04-09-2024), Fyyre (04-11-2024), traf0 (04-01-2024)
  #2  
Old 04-02-2024, 12:21
chants chants is offline
VIP
 
Join Date: Jul 2016
Posts: 774
Rept. Given: 42
Rept. Rcvd 50 Times in 31 Posts
Thanks Given: 691
Thanks Rcvd at 1,090 Times in 498 Posts
chants Reputation: 50
What is absolutely ingenious is that they put the payload into a test blob as it looks like merely garbage being used for automated testing to verify liblzma. Basically an innocuous place noone would think to look or cate about. Some of the bash scripts are fascinating in this. What's interesting is that the Microsoft engineer noticed a 0.5 second delay in SSH because a mistake was made, and fir whatever reason the engineer managed to investigate and pinpoint that it is a backdoor. The whole thing is pretty amazing. Makes you wonder how many other open source projects are backdoored but noone noticed or investigated. Kind of scary.
Reply With Quote
The Following 2 Users Say Thank You to chants For This Useful Post:
blue_devil (04-02-2024), uranus64 (04-02-2024)
  #3  
Old 04-02-2024, 14:28
blue_devil's Avatar
blue_devil blue_devil is offline
Family
 
Join Date: Dec 2011
Location: Observable Universe
Posts: 295
Rept. Given: 62
Rept. Rcvd 50 Times in 23 Posts
Thanks Given: 269
Thanks Rcvd at 423 Times in 141 Posts
blue_devil Reputation: 50
Quote:
Originally Posted by chants View Post
Makes you wonder how many other open source projects are backdoored but noone noticed or investigated. Kind of scary.
This is what I am talking about

If you are interested in state-sponsored-hackers. You should also read how Ken Thompson injected a virus to a compiler.

Code:
https://wiki.c2.com/?TheKenThompsonHack
From the article: "Not only did his compiler know it was compiling the login function and inject a backdoor, but it also knew when it was compiling itself and injected the backdoor generator into the compiler it was creating. The source code for the compiler thereafter contains no evidence of either virus."
Reply With Quote
The Following 2 Users Say Thank You to blue_devil For This Useful Post:
chants (04-02-2024), NON (04-02-2024)
  #4  
Old 04-02-2024, 19:25
NON NON is offline
Banned User
 
Join Date: Sep 2023
Posts: 77
Rept. Given: 3
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 33
Thanks Rcvd at 21 Times in 16 Posts
NON Reputation: 2
notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)

Quote:
Originally Posted by blue_devil View Post
A Microsoft employee unintentionally discovered that SSH is a little slow! This triggered him to make a performance test then he realized that a guy is injected a malware into the liblzma lossless compression library.

OpenSSH doesn't need xz-utils as a dependency; but distros which -unfortunately- uses systemd have to patch OpenSSH to support systemd.

There is a long debate started and going on social media for the last 24 hours. But I want to clear one point: when hackers are from China/North Korea/Russia/Iran, infosec community immediately reveal this information. They "emphatically" say where they are from. On the other hand if the hackers are not from those countries they the hackers are only `state-sponsored`! State sponsored but which state? Nobody is talking this issue

Read the full mailing on Openwall:
Code:
https://www.openwall.com/lists/oss-security/2024/03/29/4
A very nice blog post from lcamtuf:
Code:
https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
A nice thread on bird-site:
Code:
https://twitter.com/_ruby/status/1774073953440747664
If you are interested in state-sponsored-hackers, better check my toot:
Code:
https://infosec.exchange/@bluedevil/112185519485326084
Some more very nice informations on this:


xzbot
Quote:
https://github.com/amlweems/xzbot
Exploration of the xz backdoor (CVE-2024-3094). Includes the following:
  • honeypot: fake vulnerable server to detect exploit attempts
  • ed448 patch: patch liblzma.so to use our own ED448 public key
  • backdoor format: format of the backdoor payload
  • backdoor demo: cli to trigger the RCE assuming knowledge of the ED448 private key
Reply With Quote
  #5  
Old 04-02-2024, 23:46
wx69wx2023 wx69wx2023 is offline
Friend
 
Join Date: Sep 2023
Posts: 66
Rept. Given: 2
Rept. Rcvd 20 Times in 8 Posts
Thanks Given: 71
Thanks Rcvd at 223 Times in 48 Posts
wx69wx2023 Reputation: 20
the xz project has been delete by github,can not be seen,this is the last soure code,you guys could analyze it.

https://od.cloudsploit.top/api/raw/?path=/temp/xz-5.6.1.tar.gz

Last edited by wx69wx2023; 04-03-2024 at 13:05.
Reply With Quote
The Following User Says Thank You to wx69wx2023 For This Useful Post:
Fyyre (04-11-2024)
  #6  
Old 04-03-2024, 08:22
X0rby X0rby is offline
Friend
 
Join Date: May 2023
Location: https://forum.tuts4you.com/profile/133976-x0rby/
Posts: 9
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 17
Thanks Rcvd at 9 Times in 6 Posts
X0rby Reputation: 3
Quote:
Originally Posted by wx69wx2023 View Post
the xz project has been delete by github,can not be seen,this is the last soure code,you gays could analyze it.

https://od.cloudsploit.top/api/raw/?path=/temp/xz-5.6.1.tar.gz
guys*‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎
Reply With Quote
The Following User Says Thank You to X0rby For This Useful Post:
wx69wx2023 (04-03-2024)
  #7  
Old 04-08-2024, 19:41
Souldream Souldream is offline
Friend
 
Join Date: Sep 2023
Posts: 4
Rept. Given: 0
Rept. Rcvd 2 Times in 1 Post
Thanks Given: 2
Thanks Rcvd at 6 Times in 1 Post
Souldream Reputation: 2
Quote:
Originally Posted by blue_devil View Post
There is a long debate started and going on social media for the last 24 hours. But I want to clear one point: when hackers are from China/North Korea/Russia/Iran, infosec community immediately reveal this information. They "emphatically" say where they are from. On the other hand if the hackers are not from those countries they the hackers are only `state-sponsored`! State sponsored but which state? Nobody is talking this issue
Because in China / Russia & North Korea ... this is far better !
Nobody is talking this issue ... ho yes in russia you can get 6 months of jail just for writting 'War' ...
Reply With Quote
Reply

Tags
liblzma, state sponsored hackers, trojan, xz lossless compression

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 13:36.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )