Well, this is incredibly concerning. Is YOUR system safe?
We live in an age where both the bounties and perils are unparalleled. We have abundance like we have never seen before, but everything is also far more connected.
This complex web we know as the internet has multiplied our wealth, but it has also multiplied the threats lurking beneath cleverly designed user interfaces and sophisticated computer code.
A recent ‘near-miss’ cyberattack has tech professionals and U.S. officials spooked due to the sophistication of the hack and the length of time the compromised code was deployed on the web.
The hack affected XZ Utils, a little-known compression program operating on the Linux platform, and all Linux operating systems running the code.
At the center of the nearly catastrophic cyberattack is a mysterious figure known only as ‘Jia Tan.’ Tan was originally hired to be a helping hand for the main developer of UZ Utils.
UZ Utils is open-source software that relies on scores of unpaid volunteers collaborating online to maintain the program.
After two years of Tan contributing to the project, it was discovered that the rogue software developer snuck their own compromised code into the UZ Utils program.
This code created a backdoor to millions of servers on the internet and was only discovered after a curious developer, named Andres Freund, noticed that the unassuming program was using far too much processing power.
Upon closer inspection, Freund discovered the cleverly hidden code and the backdoor it created. The online coding and developer community rushed to dissect the code and provide more answers:
We have been reverse engineering the XZ Utils backdoor and are sharing some initial findings: we've identified multiple hooking options to adapt to different environments, and a hardcoded fake public key that can appear in verbose SSH logs depending on attacker-controlled flags. pic.twitter.com/P48blup7cN
— Danielle Aminov (@AminovDanielle) April 3, 2024
Ethical hacker Kostas implored other users to check their systems for the compromised software:
“Regarding the xz backdoored binary, see the one-liner below to check the version you have installed. I wouldn’t suggest folks running the malicious binary with -v option.
For xz_p in $(type -a xz | awk ‘{print $NF}’ | uniq); do strings “$xz_p” | grep “xz (XZ Utils)” || echo “No match found for $xz_p”; done. Some systems might have two different versions installed (i.e. if you have homebrew).
The above command will check both. You can run the which command if you want to see which binary would run by default upon being called interactively. Good luck!”
Regarding the xz backdoored binary, see the one-liner below to check the version you have installed.
**I wouldn’t suggest folks running the malicious binary with -v option🫠🫣
for xz_p in $(type -a xz | awk '{print $NF}' | uniq); do strings "$xz_p" | grep "xz (XZ Utils)" ||… https://t.co/0X10jqLKPR
— Kostas (@Kostastsale) March 30, 2024
Check if impacted by CVE-2024-3094 ❓
❌ xz -V
✔️ strings /usr/local/bin/xz | grep "(XZ Utils)"
✔️strings `which xz` | grep "(XZ Utils"
✔️for xz_p in $(type -a xz | awk '{print $NF}' | uniq); do strings "$xz_p" | grep "xz (XZ Utils)" || echo "No match found for $xz_p"; done https://t.co/jDxSi2n5wQ
— M∆LWAR3NINJA | Threatview.io 💻 (@Malwar3Ninja) March 30, 2024
According to Reuters:
Tan did not return messages sent to his Gmail account. Reuters has been unable to ascertain who Tan is, where he is, or who he was working for, but many of those who’ve examined his updates believe Tan is a pseudonym for an expert hacker or group of hackers — likely one working on behalf of a powerful intelligence service.
Silas Cutler, a hacker and researcher, provided this update in the aftermath of the hack in a lengthy X social thread. If your system is compromised make sure to correct the issue.
The main channels for updates that I've been following are:
* (High level) https://t.co/mdst9DVGnc
* (Technical) https://t.co/QOP6O2hCVpBoth are being regularly updated with analysis in the comments.
2 / 5🧵
— Silas Cutler (p1nk) (@silascutler) April 1, 2024
@CISACyber has a high level summary from Friday with the high level details: https://t.co/yCxQv2TaTO
Hopefully, we will see updates this week with new information.
4 / 5🧵
— Silas Cutler (p1nk) (@silascutler) April 1, 2024
WIRED conducted its own investigation in an attempt to reveal the identity of Tan:
At a glance, Jia Tan certainly looks East Asian—or is meant to.
The time zone of Jia Tan’s commits are UTC+8: That’s China’s time zone, and only an hour off from North Korea’s.
However, an analysis by two researchers, Rhea Karty and Simon Henniger, suggests that Jia Tan may have simply changed the time zone of their computer to UTC+8 before every commit.
ADVERTISEMENTIn fact, several commits were made with a computer set to an Eastern European or Middle Eastern time zone instead, perhaps when Jia Tan forgot to make the change.
Join the conversation!
Please share your thoughts about this article below. We value your opinions, and would love to see you add to the discussion!