From 2da56f2f1e14467004fdc142d6cc2bdd1d9dc975 Mon Sep 17 00:00:00 2001 From: zerb4t <117054988+zerb4t@users.noreply.github.com> Date: Sat, 27 Apr 2024 19:22:08 -0700 Subject: [PATCH 1/2] compromises: xz backdoor Signed-off-by: zerb4t <117054988+zerb4t@users.noreply.github.com> --- supply-chain-security/compromises/2024/xz.md | 55 ++++++++++++++++++++ supply-chain-security/compromises/README.md | 1 + 2 files changed, 56 insertions(+) create mode 100644 supply-chain-security/compromises/2024/xz.md diff --git a/supply-chain-security/compromises/2024/xz.md b/supply-chain-security/compromises/2024/xz.md new file mode 100644 index 000000000..6fec7a9c5 --- /dev/null +++ b/supply-chain-security/compromises/2024/xz.md @@ -0,0 +1,55 @@ + + +# Malicious maintainer introduces sophisticated backdoor in xz + +A backdoor was introduced in `xz`, a compression tool integral to various +Linux distributions. Over the course of several years, a malicious actor +or actors attained maintainer status and implanted a sophisticated, +multi-stage backdoor that relied on the specific build processes of `xz` +to activate, resulting in a modified `liblzma` library that can be used +by any software linked against this library. + +## Impact + +The backdoor was discovered on March 28, 2024, specifically in versions +5.6.0 and 5.6.1 of the XZ Utils package, and was assigned CVE-2024-3094. + +The compromised package was distributed across several Linux distributions +including Fedora, Debian, Kali Linux, openSUSE, Arch Linux, and various +package managers like Homebrew and pkgsrc. + +The apparent goal of this backdoor was to enable remote code execution +via `sshd` on affected systems by intercepting the `RSA_public_decrypt()` +function, looking for an attacker controlled key, and executing the payload +via `system()` function. + +This incident achieved mainstream media coverage, driving further recognition +of the threats involved in exploiting trust and lack of visibility into +maintainer activities. + +The initial response guidance involved rolling back the version of `xz`, +but this proved difficult in some ecosystems which had to intervene to +create epochs. Also, for a number of days after the disclosure, the `xz` +repository on GitHub was disabled which made it more cumbersome for the +public to research what had happened. + +## Type of compromise + +While rooted on a malicious maintainer that attained this status by a +long-term effort by an actor or actors to subvert the project, this incident +also exhibits some attack chaining characteristics including the exploitation +of trusted build and distribution mechanisms to deploy the backdoor. From +the [Cloud Security Alliance](https://cloudsecurityalliance.org/blog/2024/04/25/navigating-the-xz-utils-vulnerability-cve-2024-3094-a-comprehensive-guide) +report: + +> The backdoor was deliberately concealed by the developer. It gets incorporated +into the binary during the RPM or DEB packaging process for x86-64 architecture, +using gcc and gnu linker, under the guise of a "test" step. + +## References + +- +- +- +- +- diff --git a/supply-chain-security/compromises/README.md b/supply-chain-security/compromises/README.md index 5fd3bfc7e..ae04dd704 100644 --- a/supply-chain-security/compromises/README.md +++ b/supply-chain-security/compromises/README.md @@ -30,6 +30,7 @@ of compromise needs added, please include that as well. | Name | Year | Type of compromise | Link | | ----------------- | ------------------ | ------------------ | ----------- | +| [xz backdoor incident](2024/xz.md) | 2024 | Malicious Maintainer | [1](https://cloudsecurityalliance.org/blog/2024/04/25/navigating-the-xz-utils-vulnerability-cve-2024-3094-a-comprehensive-guide) | | [ManageEngine xmlsec dependency](2023/xmlsec-manageengine.md) | 2023 | Outdated Dependencies | [1](ttps://flashpoint.io/blog/manageengine-apache-santuario-cve-2022-47966) | | [Retool Spear Phishing](2023/retool-portal-mfa.md) | 2023 | Dev Tooling | [1](https://www.coindesk.com/business/2023/09/13/phishing-attack-on-cloud-provider-with-fortune-500-clients-led-to-15m-crypto-theft-from-fortress-trust/) | | [Fake Dependabot commits](2023/fake-dependabot.md) | 2023 | Source Code | [1](https://checkmarx.com/blog/surprise-when-dependabot-contributes-malicious-code/) | From 59dfbc061ee48765339250785c2b2ea54d0e41bb Mon Sep 17 00:00:00 2001 From: zerb4t <117054988+zerb4t@users.noreply.github.com> Date: Sat, 27 Apr 2024 19:23:07 -0700 Subject: [PATCH 2/2] compromises: switching link in 2019 monero to archive Signed-off-by: zerb4t <117054988+zerb4t@users.noreply.github.com> --- supply-chain-security/compromises/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/supply-chain-security/compromises/README.md b/supply-chain-security/compromises/README.md index ae04dd704..5d6b123a7 100644 --- a/supply-chain-security/compromises/README.md +++ b/supply-chain-security/compromises/README.md @@ -62,7 +62,7 @@ of compromise needs added, please include that as well. | [Abusing misconfigured SonarQube applications](2020/sonarqube.md) | 2020 | Dev Tooling | [1](https://www.zdnet.com/article/fbi-hackers-stole-source-code-from-us-government-agencies-and-private-companies/), [2](https://www.ic3.gov/Media/News/2020/201103-3.pdf) | | [Octopus Scanner](2020/octopus_scanner.md) | 2020 | Dev Tooling | [1](https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain),[2](https://threatpost.com/octopus-scanner-tentacles-github-repositories/156204/) | | [NPM reverse shells and data mining](2020/nodejs.md) | 2020 | Dev Tooling | [1](https://www.bleepingcomputer.com/news/security/npm-nukes-nodejs-malware-opening-windows-linux-reverse-shells/) | -| [Binaries of the CLI for `monero` compromised](2019/monero.md) | 2019 | Publishing Infrastructure | [1](https://web.getmonero.org/2019/11/19/warning-compromised-binaries.html), [2](https://github.com/monero-project/monero/issues/6151), [3](https://old.reddit.com/r/Monero/comments/dyfozs/security_warning_cli_binaries_available_on/) | +| [Binaries of the CLI for `monero` compromised](2019/monero.md) | 2019 | Publishing Infrastructure | [1](https://web.getmonero.org/2019/11/19/warning-compromised-binaries.html), [2](https://github.com/monero-project/monero/issues/6151), [3](https://web.archive.org/web/20230630012925/https://old.reddit.com/r/Monero/comments/dyfozs/security_warning_cli_binaries_available_on/) | | [Webmin backdoor](2019/webmin-backdoor.md) | 2019 | Dev Tooling | [1](https://www.zdnet.com/article/backdoor-found-in-webmin-a-popular-web-based-utility-for-managing-unix-servers/), [2](http://www.webmin.com/exploit.html) | | [purescript-npm](2019/purescript-npm.md) | 2019 | Source Code | [1](https://www.npmjs.com/advisories/1082) and [2](https://www.npmjs.com/advisories/1082) | | [electron-native-notify](2019/electron-native-notify.md) | 2019 | Source Code | [1](https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm), [2](https://komodoplatform.com/update-agama-vulnerability/)|