- On Friday a backdoor was discovered and the story of how it was developed and discovered is wild.
- A developer known as Jia Tan reportedly spent the last two years crafting a backdoor that would ultimately compromise an untolled number of Linux-based systems.
- The only reason this was discovered was because a developer noticed that logging into a system was ramping up the CPU cycles.
At the weekend, while we were enjoying fish and chocolate (not together though) a lone developer stumbled upon a backdoor that would’ve compromised an untold number of Linux operating systems.
The backdoor was to an open source compression utility known as xz Utils and it’s used in a number of Linux and Unix systems to handle compression and decompression of files. According to reports from the likes of Ars Technica, the backdoor is likely the product of years of work and the person or persons behind it were seemingly close to seeing the backdoor merged into Linux versions from Debian and Red Hat.
The backdoor was placed there by a developer going by the name of Jia Tan. At this stage, it’s unknown if Tan is a real person or a group of threat actors. Throughout the weekend since the discovery of the backdoor, a timeline has been drawn.
Tan made their first commit to the xz Utils repository in February 2022 and over the next two years they would slowly construct a backdoor that would ultimately allow a bad actor to gain control of a Linux server. This malware was built over a long period, most likely to hide the developer’s actions and avoid drawing suspicion. It was a tactic that was working, until last week.
Principal software engineer at Microsoft, Andres Freund, was troubleshooting performance problems on a Debian system. The developer found that logging into a Debian system using the Secure Shell Protocol (SSH) was causing CPU cycles to ramp up while also generating errors in a software utility that monitors computer memory. Exploring the cause of the problem, Freund discovered that an update to xz Utils was the reason for the slowness. Probing further he discovered the back door.
Following this discovery, Freund immediately posted his findings to the Open Source Security list, explaining how the backdoor worked and how to detect it.
The good news is that the backdoor was discovered before it hit the mainstream and allowed attackers to gain access to Linux-based servers with little to no effort. There were a few bleeding-edge distros that were impacted by this including Fedora Linux 40, Fedora Rawhide developer distribution, Debian Unstable, and Kali Linux according to The Register. If it hadn’t been spotted, attackers could easily compromise a system through remote code execution and other malicious attack vectors.
The question now becomes who is Jia Tan, were they funded by somebody and if so, who is that funder? There is speculation that the attacker is state-sponsored and that would track given the time this developer spent executing this attack. There are also fears that given the time Tan spent on this backdoor that there may be other compromises.
This incident has highlighted not only the dangers of open-source development but the benefits as well. While a threat actor was able to compromise a hugely important utility, the fact that it was spotted thanks to open-source developers who noticed something was wrong.
