The XZ cyber incident is a textbook example of how sophisticated social engineering tactics can lead to significant security breaches.
Over the course of two years, a carefully planned attack was executed against the popular XZ Utils open-source project.
The attackers went to great lengths to ensure their plan was executed flawlessly, culminating in successfully inserting a backdoor in early 2024.
This breach had far-reaching consequences that affected countless project users.
The attackers believed to be using fake identities and worked on a long-term infiltration strategy for the XZ Utils project.
One of the central figures in this operation was Jia Cheong Tan(JiaT75), a likely pseudonymous entity who played a pivotal role in executing the attack.
Is Your Network Under Attack? – Read CISO’s Guide to Avoiding the Next Breach – Download Free Guide
Kaspersky has recently released an in-depth analysis of an incident primarily executed through social engineering techniques.
The report provides comprehensive details and insights into the incident, shedding light on the intricacies and nuances of social engineering as an attack vector.
The social engineering aspect of this incident was not only elaborate but also highlighted a significant vulnerability in the trust-based model of open-source projects.
The initial phase of the attack involved benign contributions to the project, which served dual purposes: to mask the attackers’ malicious intentions and to build a reputation within the community as trustworthy developers.
Attack Timeline
The security researcher Alden from Huntress has been analyzing Jai Tan’s commit history over some time.
Interesting note on the #xz backdoor: If you plot Jai Tan’s commit history over time, the cluster of offending commits occurs at an unusual time compared to rest of their activity.If the dev was pwned, it could be a sign that the threat actor contributed in their own timezone pic.twitter.com/CrFBcdIAni— alden (@birchb0y) March 30, 2024
The plot indicates that the cluster of offending commits happened at unusual times.
Between February 23-26 and March 8-9, 2024, JiaT75 uploaded malicious code unrelated to their prior work times.
It is suspected that a second party used the JiaT75 account to insert the malicious code, but it is unclear whether the contributor was aware of this.
The individual contributor behind the JiaT75 account may have been under pressure to commit the malicious backdoor code quickly.
A team managed the JiaT75 account, and one part needed to work beyond usual hours without interruptions.
As these contributions continued, the attackers engaged in strategic social interactions with key community members, gradually ingratiating themselves within the community.
Document
Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
Real-time Detection
Interactive Malware Analysis
Easy to Learn by New Security Team members
Get detailed reports with maximum data
Set Up Virtual Machine in Linux & all Windows OS Versions
Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
Try ANY.RUN for FREE
By leveraging the open-source community’s reliance on mutual trust and collaborative development, the attackers positioned themselves as integral contributors to the XZ Utils project.
Over time, they expanded their roles within the project, advocating for additional maintainer roles under the pretext of enhancing the project.
This strategic placement allowed them unfettered access to the project’s codebase, setting the stage for the next phase of their plan.
In early 2024, the attackers executed the final phase of their strategy by inserting malicious code into the XZ Utils build process.
This code was designed to implement an exclusive use backdoor in sshd, a critical component of many Linux distributions.
The backdoor code was pushed to major Linux distributions as part of a large-scale supply chain attack, aiming to compromise millions of systems globally.
The malicious code’s subtlety in insertion, leveraging the build process in plain sight, was a testament to the attackers’ technical acumen and deep understanding of the open-source development ecosystem.
The social engineering tactics employed were not just about deceiving individuals; they were about exploiting the dynamics of community trust and collaboration, which are foundational to open-source projects.
Thanks to the vigilance of Andres Freund, a developer at Microsoft, this backdoor was discovered, preventing what could have been one of the most significant security breaches in recent history.
Freund’s investigation began when he noticed unusual activity in the SSH daemon, which led him to uncover the backdoor embedded within the XZ Utils.
As the cybersecurity community continues to analyze and learn from the XZ incident, it is clear that the battle against cyber threats is not just about technological defenses but also about understanding and mitigating the human and social factors that can often be the weakest links in security.
Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo