Inside the failed attempt to backdoor SSH globally — that got caught by chance \ stacker news ~security

Inside the failed attempt to backdoor SSH globally — that got caught by chance doublepulsar.com/inside-the-failed-attempt-to-backdoor-ssh-globally-that-got-caught-by-chance-bbfe628fafdd

2035 sats \ 23 comments \ @ch0k1 1 Apr security

What happened here is now well documented elsewhere, so I shall not recap it much, but essentially somebody appears to have hijacked the open source XZ project by social engineering the volunteer developer into handing over maintainer access after they cited some mental health issues, used the package XZ Utils to piggy back into systemd loading liblzma, which in turn loaded XZ, allowing sshd to be hooked to trojan it on Linux distributions that use systemd.

The trojan allows somebody a private key to hijack sshd to execute commands, amongst other functions. It is highly advanced.

view all related items

533 sats \ 9 replies \ @nerd2ninja 1 Apr

https://cdn.discordapp.com/attachments/796935699034144798/1224080427921182821/media-cache.png?ex=661c30bc&is=6609bbbc&hm=fa6abd85ec020e6fec88852b82e23ebd65694627d082ecdf1a80ebcfed5ec7e5&

51 sats \ 0 replies \ @ch0k1 OP 1 Apr

The last part with being noticed by autist for 0.5s startup delay is killing 🤣

51 sats \ 4 replies \ @justin_shocknet 1 Apr

Something not priced in to opensource security is AI reviewing code for potential vulnerabilities. It's not perfect of course, but it can call for more expert review by identifying suspicious practices in code or simply labeling a library as sus

Recently added our repos to socket to monitor our npm based supply chain for deps, and it's pretty awesome. Will be even more awesome when there are several others available

21 sats \ 3 replies \ @nerd2ninja 1 Apr

If you applied such an AI bot to the XZ backdoor and it found it (without including it in your dataset of course) I'd be more enthusiastic. The degree of code obfuscation with this was pretty high to be fair.

0 sats \ 0 replies \ @ch0k1 OP 2 Apr

This actually would be an interesting experiment.

Did somebody try to test whether running copilot or any other source code AI tool will identify it as a vulnerability?

0 sats \ 1 reply \ @justin_shocknet 1 Apr

Yea it was buried really good, but that will also result in automating new kinds of tests

0 sats \ 0 replies \ @nerd2ninja 1 Apr

I look forward to it.

0 sats \ 0 replies \ @tomlaies 1 Apr

Well with the caveat that they might have done/are attempting both top panel and bottom panel

0 sats \ 0 replies \ @btcschellingpnt 1 Apr

Looks like that page that link connects to has been .. removed

30 sats \ 0 replies \ @wopwopwopwop 1 Apr freebie

deleted by author

175 sats \ 0 replies \ @DiedOnTitan 1 Apr

Smells like a nation state level attack. It's very lucky this got caught. Next time, maybe not. This could have had devastating consequences. The FOSS community is on notice that small projects embedded in larger projects such as systemd are being reviewed for weak-handed maintainers that can be manipulated, co-opted, and back doored.

https://m.stacker.news/24393

43 sats \ 7 replies \ @davidw 1 Apr freebie

The backdoor attempt was a very serious one, with a very high bar of knowledge, research, development and tradecraft to reach this far into the Linux ecosystem. Additionally, changes made by the threat actor on Github span multiple years. The backdoor itself is super well put together, and even includes the ability to remotely deactivate and remove the backdoor via a kill command.

We should stop using open source and only buy American vendor products! Yeah, good luck with that.

There are no easy fixes.. we should just try to reduce the risk and calmly work some solutions.

Great write-up! & call to buidl. Things are definitely heating up.

Processing less user data & using fewer 3rd party dependencies needs to be a part of any software roadmap this next 2 years. Something I mentioned in The Privacy Pivot here on SN. In this case a lucky break and not much that could be done, but more vulnerabilities are around the corner no doubt.

It’s already a full time job to report on them it feels like.

2 sats \ 5 replies \ @jk_14 1 Apr

"We should also acknowledge that open source developers are largely unpaid"

Let them use LN and they will be paid. I would send some sats for such backdoor discovery above, and imagine whole world too...

0 sats \ 0 replies \ @nikotsla 1 Apr

Good model :)

0 sats \ 3 replies \ @wopwopwopwop 1 Apr

deleted by author

0 sats \ 2 replies \ @jk_14 1 Apr

because of much lower entry barrier for tipping like for example 500 sats

0 sats \ 1 reply \ @wopwopwopwop 2 Apr

deleted by author

0 sats \ 0 replies \ @jk_14 3 Apr

All you are doing is signaling that open source work is only worth fractions of a penny

lol, and now multiply 500sats by number of users of SSH, or even only a generous part of them

0 sats \ 0 replies \ @nikotsla 1 Apr

using fewer 3rd party dependencies

Looking at the JS community :S ... just don't run JavaScript.

It's going to be a wild ride from now on... and as always... it's not just "software", we are on top of magma in the "hardware" realm...

42 sats \ 0 replies \ @zuspotirko 1 Apr

Failed in a sense that it didn't make it into major distros or all of world internet infrastructure. But still absolutely terrifying how far they came.