Andres Freund’s discovery of malicious code in open-source software shed light on our dependence on unsecured, community-driven technology, which posed a threat to global networks.
On Good Friday, an engineer from Microsoft, Andres Freund, made an interesting discovery. While using the SSH tool to securely connect with remote computers on the internet, he noticed a significant decrease in speed. After investigating further, he discovered that a harmful code had been inserted into a software package called XZ Utils on his device. This software is vital for compressing and decompressing data used by the world’s most widely used operating system, Linux, which powers the majority of public internet servers. Therefore, it can be assumed that all of these servers are running XZ Utils.
Through Freund’s investigation, it was discovered that the harmful code infiltrated his machine through two recent updates to XZ Utils. He promptly informed the Open Source Security list of this incident and emphasized that those updates were deliberately tampered with to include a backdoor in the compression software. This type of attack is commonly known as a “supply-chain attack,” similar to the devastating SolarWinds attack in 2020. Rather than directly injecting malware into targeted machines, the supply chain is contaminated, taking advantage of unsuspecting computer users who regularly receive updates. For those looking to spread malicious software, targeting the supply chain is a strategic approach.
The Freund malware was designed to disrupt the secure authentication process of SSH, allowing unauthorized access to the entire system. As SSH is crucial for network security, this discovery has caused heightened concern in the cybersecurity community. Linux users have been warned about the risks associated with the two fraudulent updates.
With the stable door now securely bolted, we can rest assured that none of the horses have gone missing. Of course, we must give credit where credit is due – if it weren’t for Freund’s keen observation and curiosity, this wouldn’t be the case. As one security expert pointed out, we owe Andres a debt of unlimited free beer for saving everyone’s rear ends in his spare time.
The tale of how the malware infiltrated the updates is particularly informative. XZ Utils, which allows anyone to examine, edit, and improve its source code, is considered open-source software. Often, such software is developed and managed by small groups or even one person. In this case, Lasse Collin has been the sole contributor to XZ Utils since its beginning. For a long time, he was also responsible for compiling and disseminating the updates for the software.
In recent years, the maintenance of this crucial software has become increasingly burdensome and there have been reports of health issues faced by its creator. However, due to his decision to take a break from the online world, we cannot be certain. Then, approximately two years ago, an unknown developer going by the name Jia Tan suddenly emerged and began offering valuable contributions to the XZ Utils library. According to security expert Michał Zalewski, shortly after Jia’s arrival, multiple accounts seemingly controlled by the same person appeared and pressured Lasse to hand over control. It appears that Lasse eventually gave in sometime in 2023. Furthermore, it seems that these malware-infected updates were released by none other than this mysterious Jia figure.
As the story progresses, it is evident that the cyber security professionals are giving the attack significant attention. According to a prominent South African security expert interviewed by the Economist, the backdoor is exceptionally unique and cleverly executed. What’s even more intriguing is the organized online effort directed towards convincing Lasse Collin to hand over control of XZ Utils to “Jia Tan.” This specific expert believes that the SVR, responsible for hacking into US government networks through SolarWinds, may have been involved in this attack as well.
Who knows? But based on what we know so far, there are two clear lessons to be learned. Firstly, our reliance on a fundamentally insecure technology has led to the creation of a whole new world. Secondly, our dependence on open-source software, often maintained by unpaid volunteers, is essential but lacks support from industry and government. We cannot continue this way, yet we persist. As the saying goes, “Those whom the Gods wish to destroy, they first make complacent.”