XZ Utils Critical Backdoor (CVE- 2024-3094)
XZ Utils Critical Backdoor
The Fallacy of Secure Open Source Code
How much time would you spend on executing the perfect hack?
The user going by the name of ‘JIAT75’ spent almost three years infiltrating and contributing to a GitHub repo for one singular reason – access to release manager rights for the next XZ Utils update.
In this episode of Threat Talks, host Lieuwe Jan Koning is joined by Thomas Manolis, Information Security Officer at AMS-IX, and Jeroen Scheerder, Security Specialist at ON2IT, to discuss this meticulously executed breach in the open-source community.
Using clever social engineering tactics, Jia Tan (JIAT75) built a credible reputation within said community, gaining trust and access to introduce malicious code undetected. The breach was only discovered by chance when Andres Freund, an engineer at Microsoft, traced unusual system latency back to XZ Utils and uncovered the backdoor.
What exactly happened?
How lucky did we get with Freund discovering the backdoor?
And how do we know that something like this hasn’t happened before?
Explore the Hack’s Route in Detail
Find a complete overview of the XZ Utils Critical Backdoor and other attacks featured in Breaking the Illusion: Exposing Security Fallacies:
Your cybersecurity experts
Lieuwe Jan Koning
Co-Founder and CTO, ON2IT Group
Thomas Manolis
Information Security Officer, AMS-IX
Rob Maas
Field CTO, ON2IT
Episode details
In a carefully executed breach, a user known as “Jia Tan” embedded themselves in an XZ Utils open-source project to gain privileged access.
This user, operating under the account name “JIAT75,” employed advanced social engineering strategies over a three-year period to build a credible reputation in the open-source community. Through active contributions, trust-building (as well as sending in numerous support requests to overwhelm the current maintainer of the project), they eventually secured release manager rights.
With these elevated privileges, Jia Tan introduced a backdoor into XZ Utils by embedding malicious code within a release. This code provided a hidden access point that allowed the attacker full control over any system running the compromised version of the software.
The backdoor remained unnoticed until Andres Freund, a Microsoft developer and engineer, investigated a latency issue he observed. Freund traced the problem back to XZ Utils, where he ultimately uncovered the backdoor.
Had it not been for Freund’s curiosity and persistence, the backdoor might have remained active and undetected for an extended period. Was this Jia Tan a nation state actor? Can hacks like this be prevented? What can we do to make sure something like this doesn’t happen again?
Enter the dynamic world of cybersecurity
Subscribe to our channels, and stay on to it!