12. 04. 2024 | Natalie Bezděková

0

• Share with others    

A German programmer, Andres Freund, stumbled upon a peculiar inconsistency during a routine check. His curiosity led him to the source code of a compression tool, where an unknown attacker had hidden backdoors.

In our daily internet usage, we often overlook its fragile structure. If it were an aircraft, you might hesitate to board: each wing from a different manufacturer, a rocket plane engine, and a chassis held together by duct tape. This “improvised” nature of the internet shouldn’t surprise anyone who has been programming lately. It’s a patchwork of many different libraries, each dependent on others. In many ways, it’s advantageous. It allows you to experiment with new things and rapidly develop your own products without reinventing the wheel. This is one of the key ideas of the open-source movement: rather than developing complex solutions from scratch, one can utilize proven solutions maintained transparently by a global community. So when you use such solutions, you can trust that the code has been reviewed by dozens and tested in practice by millions of users.

Unexpectedly Sophisticated Attack

How would you sneak an attack into such a tightly controlled ecosystem, both from above and below, onto the global internet architecture? You would have to build your credibility over time, contribute usefully and for free to seemingly insignificant programs… And then, let’s say, add something even less significant to one of those tiny programs, disguised as a test subprocedure.

And that’s exactly what seems to have happened recently. The planned attack aimed to exploit the open-source tool for fast lossless compression, XZ Utils. It’s a relatively small library that doesn’t actually do anything important or groundbreaking. However, it’s used by a number of larger projects, including SSH, a tool for encrypted remote access. SSH is also an open-source project, but it’s much larger and infinitely more important. It’s used by network administrators worldwide and serves as the foundation for other applications. If an attacker managed to sneak “backdoors” into the SSH protocol, it could potentially execute “the biggest cyberattack in history,” according to some.

German programmer Andres Freund didn’t have “stopping a global attack” in his job description. As part of his work at Microsoft, he contributes to the development of the open-source PostgreSQL project. By the way, Microsoft has been one of the biggest contributors to open-source systems for some time now. GitHub, the popular platform for coordinating the development of many open-source projects, has been owned by Microsoft since 2018.

Coincidence and Diligence

During a fairly routine test, Freund noticed a minor inconsistency. The SSH component test overloaded his computer slightly more than he remembered. After a bit of digging, he traced it to the unusual behavior of the XZ Utils tool.

“The difference was actually very small, just about one or two percent,” Freund explained later. In further analysis, he saw calls to the tool for recording creation, but at the time, there was no reason for the xz/liblzma library to be called at all.

He eventually found the specific source code responsible for this. And in it, a so-called backdoor. These backdoors were hidden by an unknown attacker in XZ Utils versions 5.6.0 and 5.6.1, Freund warned on March 29.

“As soon as it became clear that it was a malicious backdoor, it was like time stood still,” Freund described. “I started investigating. Initially, I thought it only applied to the Debian system. So I started sending them warnings. But then I found out it applied to everyone. Absolutely everyone. I reported it immediately, and coordination began on what to do next.”

If these backdoors had remained in the program, an attacker (the same one, but could have been someone else if they knew the relevant secret code) could have used them to smuggle and execute source code on a foreign machine. Essentially, to launch any attack.

Threat Likely Averted

So far, no attacks using these backdoors have been recorded. And now that they’ve been uncovered, the global security community is likely quickly erasing them from the face of the earth, or rather from computers worldwide, where they were uploaded as part of software updates.

“It could have been the most widespread and effective backdoors ever inserted into any software product,” said Alex Stamos of SentinelOne, a company that conducts cybersecurity research.

The attacker operated under the pseudonym Jia Tan and apparently built their reputation for at least two years. From a novice, they rose to a trusted contributor and later a manager of the XZ Utils library. “It was very mysterious,” Freund said of the attackers, whose plan he thwarted. “Obviously, they put a lot of effort into hiding what they were doing.”

“This multi-year operation was very clever. Those embedded backdoors are incredibly sneaky,” said Costin Raiu, who until last year served as chief researcher at the Russian cybersecurity company Kaspersky. “I would say it’s a nation-state-supported group with long-term goals that can afford to invest in multi-year infiltrations of open-source projects.” He named the usual suspects: China, Russia, or North Korea.

The timestamps of the changes that user Jia Tan submitted corresponded to the time zone in East Asia. However, as experts point out, the user could have timed the changes intentionally to cover their tracks.

“Security is a team sport,” praised Microsoft’s boss of his employee. “I’m pleased to read how Andres Freund, thanks to his curiosity and skill, managed to save us.” The open-source world can celebrate again. Its main premise – anyone can see the source code – has once again proven advantageous. But this time, it was just a hair’s breadth away.

Photo source: www.pexels.com

Natalie Bezděková

I am a student of Master's degree in Political Science. I am interested in marketing, especially copywriting and social media. I also focus on political and social events at home and abroad and technological innovations. My free time is filled with sports, reading and a passion for travel.