XZ Utils Critical Backdoor (CVE- 2024-3094)

Threat Talks - Infographic Security Fallacies
Listen to Threat Talks - Cybersecurity Podcast on Spotify
Listen to Threat Talks - Cybersecurity Podcast on YouTube
Listen to Threat Talks - Cybersecurity Podcast on Apple Podcasts
Listen to Threat Talks - Cybersecurity Podcast on Amazon Music

XZ Utils Critical Backdoor

The Fallacy of Secure Open Source Code

How much time would you spend on executing the perfect hack?

The user going by the name of ‘JIAT75’ spent almost three years infiltrating and contributing to a GitHub repo for one singular reason – access to release manager rights for the next XZ Utils update.

In this episode of Threat Talks, host Lieuwe Jan Koning is joined by Thomas Manolis, Information Security Officer at AMS-IX, and Jeroen Scheerder, Security Specialist at ON2IT, to discuss this meticulously executed breach in the open-source community.

Using clever social engineering tactics, Jia Tan (JIAT75) built a credible reputation within said community, gaining trust and access to introduce malicious code undetected. The breach was only discovered by chance when Andres Freund, an engineer at Microsoft, traced unusual system latency back to XZ Utils and uncovered the backdoor.

What exactly happened?

How lucky did we get with Freund discovering the backdoor?
And how do we know that something like this hasn’t happened before?

 

Explore the Hack’s Route in Detail

Find a complete overview of the XZ Utils Critical Backdoor and other attacks featured in Breaking the Illusion: Exposing Security Fallacies:

Your cybersecurity experts

Lieuwe Jan Koning, Co-Founder and CTO, ON2IT

Lieuwe Jan Koning

Co-Founder and CTO, ON2IT Group

Thomas Manolis Information Security Officer at AMS-IX

Thomas Manolis

Information Security Officer, AMS-IX

Rob Maas, Field CTO, ON2IT

Rob Maas

Field CTO, ON2IT

Episode details

In a carefully executed breach, a user known as “Jia Tan” embedded themselves in an XZ Utils open-source project to gain privileged access.

 This user, operating under the account name “JIAT75,” employed advanced social engineering strategies over a three-year period to build a credible reputation in the open-source community. Through active contributions, trust-building (as well as sending in numerous support requests to overwhelm the current maintainer of the project), they eventually secured release manager rights.

With these elevated privileges, Jia Tan introduced a backdoor into XZ Utils by embedding malicious code within a release. This code provided a hidden access point that allowed the attacker full control over any system running the compromised version of the software.

The backdoor remained unnoticed until Andres Freund, a Microsoft developer and engineer, investigated a latency issue he observed. Freund traced the problem back to XZ Utils, where he ultimately uncovered the backdoor.

Had it not been for Freund’s curiosity and persistence, the backdoor might have remained active and undetected for an extended period. Was this Jia Tan a nation state actor? Can hacks like this be prevented? What can we do to make sure something like this doesn’t happen again?

 

Enter the dynamic world of cybersecurity

Subscribe to our channels, and stay on to it!

Threat Talks - Infographic Security Fallacies
Listen to Threat Talks - Cybersecurity Podcast on Spotify
Listen to Threat Talks - Cybersecurity Podcast on YouTube
Listen to Threat Talks - Cybersecurity Podcast on Apple Podcasts
Listen to Threat Talks - Cybersecurity Podcast on Amazon Music