compromises: xz backdoor

supply-chain-security/compromises/2024/xz.md

@@ -0,0 +1,55 @@
+<!-- cspell:ignore pkgsrc -->
+
+# Malicious maintainer introduces sophisticated backdoor in xz
+
+A backdoor was introduced in `xz`, a compression tool integral to various
+Linux distributions. Over the course of several years, a malicious actor
+or actors attained maintainer status and implanted a sophisticated,
+multi-stage backdoor that relied on the specific build processes of `xz`
+to activate, resulting in a modified `liblzma` library that can be used
+by any software linked against this library.
+
+## Impact
+
+The backdoor was discovered on March 28, 2024, specifically in versions
+5.6.0 and 5.6.1 of the XZ Utils package, and was assigned CVE-2024-3094.
+
+The compromised package was distributed across several Linux distributions
+including Fedora, Debian, Kali Linux, openSUSE, Arch Linux, and various
+package managers like Homebrew and pkgsrc.
+
+The apparent goal of this backdoor was to enable remote code execution
+via `sshd` on affected systems by intercepting the `RSA_public_decrypt()`
+function, looking for an attacker controlled key, and executing the payload
+via `system()` function.
+
+This incident achieved mainstream media coverage, driving further recognition
+of the threats involved in exploiting trust and lack of visibility into
+maintainer activities.
+
+The initial response guidance involved rolling back the version of `xz`,
+but this proved difficult in some ecosystems which had to intervene to
+create epochs. Also, for a number of days after the disclosure, the `xz`
+repository on GitHub was disabled which made it more cumbersome for the
+public to research what had happened.
+
+## Type of compromise
+
+While rooted on a malicious maintainer that attained this status by a
+long-term effort by an actor or actors to subvert the project, this incident
+also exhibits some attack chaining characteristics including the exploitation
+of trusted build and distribution mechanisms to deploy the backdoor. From
+the [Cloud Security Alliance](https://cloudsecurityalliance.org/blog/2024/04/25/navigating-the-xz-utils-vulnerability-cve-2024-3094-a-comprehensive-guide)
+report:
+
+> The backdoor was deliberately concealed by the developer. It gets incorporated
+into the binary during the RPM or DEB packaging process for x86-64 architecture,
+using gcc and gnu linker, under the guise of a "test" step.
+
+## References
+
+- <https://myrror.security/the-xz-attack-a-software-supply-chain-earthquake/>
+- <https://securitylabs.datadoghq.com/articles/xz-backdoor-cve-2024-3094/>
+- <https://securelist.com/xz-backdoor-story-part-1/112354/>
+- <https://medium.com/checkmarx-security/backdoor-in-xz-impacting-multiple-linux-distros-074e86989725>
+- <https://cloudsecurityalliance.org/blog/2024/04/25/navigating-the-xz-utils-vulnerability-cve-2024-3094-a-comprehensive-guide>

supply-chain-security/compromises/README.md

@@ -30,6 +30,7 @@ of compromise needs added, please include that as well.
 <!-- cSpell:disable -->
 | Name              | Year               | Type of compromise    | Link        |
 | ----------------- | ------------------ | ------------------    | ----------- |
+| [xz backdoor incident](2024/xz.md) | 2024 | Malicious Maintainer | [1](https://cloudsecurityalliance.org/blog/2024/04/25/navigating-the-xz-utils-vulnerability-cve-2024-3094-a-comprehensive-guide) |
 | [ManageEngine xmlsec dependency](2023/xmlsec-manageengine.md) | 2023 | Outdated Dependencies | [1](ttps://flashpoint.io/blog/manageengine-apache-santuario-cve-2022-47966) |
 | [Retool Spear Phishing](2023/retool-portal-mfa.md) | 2023 | Dev Tooling | [1](https://www.coindesk.com/business/2023/09/13/phishing-attack-on-cloud-provider-with-fortune-500-clients-led-to-15m-crypto-theft-from-fortress-trust/) |
 | [Fake Dependabot commits](2023/fake-dependabot.md) | 2023 | Source Code | [1](https://checkmarx.com/blog/surprise-when-dependabot-contributes-malicious-code/) |
@@ -61,7 +62,7 @@ of compromise needs added, please include that as well.
 | [Abusing misconfigured SonarQube applications](2020/sonarqube.md) | 2020 | Dev Tooling | [1](https://www.zdnet.com/article/fbi-hackers-stole-source-code-from-us-government-agencies-and-private-companies/), [2](https://www.ic3.gov/Media/News/2020/201103-3.pdf) |
 | [Octopus Scanner](2020/octopus_scanner.md) | 2020 | Dev Tooling | [1](https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain),[2](https://threatpost.com/octopus-scanner-tentacles-github-repositories/156204/) |
 | [NPM reverse shells and data mining](2020/nodejs.md) | 2020 | Dev Tooling | [1](https://www.bleepingcomputer.com/news/security/npm-nukes-nodejs-malware-opening-windows-linux-reverse-shells/) |
-| [Binaries of the CLI for `monero` compromised](2019/monero.md) | 2019 | Publishing Infrastructure | [1](https://web.getmonero.org/2019/11/19/warning-compromised-binaries.html), [2](https://github.com/monero-project/monero/issues/6151), [3](https://old.reddit.com/r/Monero/comments/dyfozs/security_warning_cli_binaries_available_on/) |
+| [Binaries of the CLI for `monero` compromised](2019/monero.md) | 2019 | Publishing Infrastructure | [1](https://web.getmonero.org/2019/11/19/warning-compromised-binaries.html), [2](https://github.com/monero-project/monero/issues/6151), [3](https://web.archive.org/web/20230630012925/https://old.reddit.com/r/Monero/comments/dyfozs/security_warning_cli_binaries_available_on/) |
 | [Webmin backdoor](2019/webmin-backdoor.md) | 2019 | Dev Tooling | [1](https://www.zdnet.com/article/backdoor-found-in-webmin-a-popular-web-based-utility-for-managing-unix-servers/), [2](http://www.webmin.com/exploit.html) |
 | [purescript-npm](2019/purescript-npm.md) | 2019 | Source Code | [1](https://www.npmjs.com/advisories/1082) and [2](https://www.npmjs.com/advisories/1082) |
 | [electron-native-notify](2019/electron-native-notify.md) | 2019 | Source Code | [1](https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm), [2](https://komodoplatform.com/update-agama-vulnerability/)|