Inside the failed attempt to backdoor SSH globally — that got caught by chance
A few days, a toot on Mastodon from Andres, a Postgre developer, caught my attention:
Wait, what?!
What happened here is now well documented elsewhere, so I shall not recap it much, but essentially somebody appears to have hijacked the open source XZ project by social engineering the volunteer developer into handing over maintainer access after they cited some mental health issues, used the package XZ Utils to piggy back into systemd loading liblzma, which in turn loaded XZ, allowing sshd to be hooked to trojan it on Linux distributions that use systemd.
The trojan allows somebody a private key to hijack sshd to execute commands, amongst other functions. It is highly advance.
OpenSSH runs on almost 20 million IPs as of today, and is almost 10 times more prevalent than RDP (Remote Desktop Protocol). Had somebody successfully introduced a widely deployed backdoor, it would have been bad later.
The backdoor uses a five stage loader to try to hide and includes a function where future updates can be placed in extra files without modifying the original XZ code changes.
These changes were committed to Github back in February, and made their way into test releases of Debian, Fedora and Kali Linux. Nobody noticed the problem. Additionally, a request was opened to make the threat actor a Linux kernel module maintainer for XZ Embedded.
Q&A
Do I need to panic? No. As an assurance piece, orgs can check they aren’t using the latest unstable releases of Debian and Fedora — but they very likely aren’t.
Andres caught the problem — which has allowed it to be evicted from the Linux distribution ecosystem before any stable releases.. released.
How did Andres find the problem? Well, let us go to Andres:
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: