SweetOps #security for April, 2024

There’s a classic post about what it’s like to be an open-source maintainer. It can take some thick skin to be successful at it. Of course, it’s only exasperated by mental health issues, and there are so many trolls out there. Anyone with a penchant for pleasing others, those who have trouble saying “no,” or generally trusting individuals are all susceptible to this kind of attack.

https://nolanlawson.com/2017/03/05/what-it-feels-like-to-be-an-open-source-maintainer/

What it feels like to be an open-source maintainer

Outside your door stands a line of a few hundred people. They are patiently waiting for you to answer their questions, complaints, pull requests, and feature requests. You want to help all of them,…

Hao Wang

11:44:17 AM

just a reminder from long time observation, they are very very low…

Hao Wang

04:01:51 AM

https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504

Hao Wang

04:07:04 AM

when this xz happened at the first time, I got a question on my mind, the English commit messages are so fluent, https://research.swtch.com/xz-timeline. Did the xz owner Lasse Collin talked to Jia Tan before, either face to face or voice? Did anyone know Lasse Collin or see him before? When did ssh include liblzma?

Hao Wang

04:16:07 AM

https://www.reddit.com/r/linuxquestions/comments/1btk4j0/why_sshd_uses_liblzma_in_the_first_place/

r/linuxquestions on Reddit: why sshd uses liblzma in the first place?

Posted by u/captainpenguin7 - 8 votes and 7 comments

Hao Wang

04:16:32 AM

https://news.ycombinator.com/item?id=39866076

Hao Wang

04:17:02 AM

libsystemd does depend on lzma , does this mean systemd is hacked?

Hao Wang

04:34:04 AM

https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowjkx2njy2b

Filippo Valsorda (@filippo.abyssdomain.expert)

I’m watching some folks reverse engineer the xz backdoor, sharing some preliminary analysis with permission.

The hooked RSA_public_decrypt verifies a signature on the server’s host key by a fixed Ed448 key, and then passes a payload to system().

It’s RCE, not auth bypass, and gated/unreplayable.

[contains quote post or other embedded content]

Hao Wang

04:42:47 AM

https://bentsukun.ch/posts/xz-backdoor/

Hao Wang

02:32:33 PM

https://twitter.com/bl4sty/status/1776691497506623562

blasty (@bl4sty) on X attachment image

the xz sshd backdoor rabbithole goes quite a bit deeper. I was just able to trigger some harder to reach functionality of the backdoor. there’s still more to explore.. 1/n

Hao Wang

02:34:37 PM

https://twitter.com/AminovDanielle/status/1774086810974429210

Danielle Aminov (@AminovDanielle) on X attachment image

I’ve been looking into how the xz backdoor works and drew this sketch to make it easier to understand. I’ll update it as new information comes to light

Hao Wang

02:11:28 AM

https://www.zdnet.com/article/this-backdoor-almost-infected-linux-everywhere-the-xz-utils-close-call/

This backdoor almost infected Linux everywhere: The XZ Utils close call attachment image

For the first time, an open-source maintainer put malware into a key Linux utility. We’re still not sure who or why - but here’s what you can do about it.

Hao Wang

02:25:47 AM

https://twitter.com/bl4sty/status/1777333886516613537?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet

blasty (@bl4sty) on X attachment image

some people asked for the code .. so I decided to quickly refactor my scrappy paramiko script and turned it into an ssh agent implementation that works with a vanilla openssh client that has a single line patched out. https://t.co/93Y7Ha3V8N

Hao Wang

02:26:25 AM

https://twitter.com/bl4sty/status/1776691497506623562?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet

blasty (@bl4sty) on X attachment image

the xz sshd backdoor rabbithole goes quite a bit deeper. I was just able to trigger some harder to reach functionality of the backdoor. there’s still more to explore.. 1/n

Hao Wang

03:07:46 PM

https://www.wiz.io/blog/cve-2024-3094-critical-rce-vulnerability-found-in-xz-utils[…]Uehx-DlkSChS8x1p1crBUpg1ws61CQvv2sjj2hUl4P_JdqCKG4aAtM2EALw_wcB

CVE-2024-3094: Critical RCE Vulnerability Found in XZ Utils | Wiz Blog attachment image

CVE-2024-3094 is a malicious code vulnerability in versions 5.6.0 and 5.6.1 of XZ Utils, enabling an SSH authentication bypass in certain Linux distributions

Hao Wang

04:26:19 PM

https://www.reddit.com/r/rust/comments/1bz3okf/thoughts_on_the_xz_backdoor_an_lzmars_perspective/

Hao Wang

09:13:53 PM

https://securelist.com/xz-backdoor-story-part-1/112354/

Kaspersky analysis of the backdoor in XZ attachment image

Kaspersky analysis of the backdoor recently found in XZ, which is used in many popular Linux distributions and in OpenSSH server process.

Hao Wang

09:23:14 PM

https://thehackernews.com/2024/04/popular-rust-crate-liblzma-sys.html

Malicious “test files” linked to the XZ Utils backdoor found in popular Rust crate liblzma-sys, downloaded over 21,000 times.

Hao Wang

11:17:14 PM

https://tukaani.org/xz-backdoor/review.html

2024-04-07

2024-04-08

2024-04-09

2024-04-11

Hao Wang

10:44:07 PM

Why CISA is Warning CISOs About a Breach at Sisense

Hao Wang

10:44:22 PM

https://krebsonsecurity.com/2024/04/why-cisa-is-warning-cisos-about-a-breach-at-sisense/

Why CISA is Warning CISOs About a Breach at Sisense

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach at business intelligence company Sisense, whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard.…

2024-04-12

2024-04-15

2024-04-16

Hao Wang

11:30:01 AM

Another social engineering takeover attempt: https://therecord.media/researchers-stop-credible-takeover-xz-utils

Researchers stop ‘credible takeover attempt’ similar to XZ Utils backdoor incident attachment image

The thwarted social engineering attempts highlight the urgent need to address weaknesses in the management of open source software.

2024-04-22

venkata.mutyala

11:36:16 PM

https://www.bleepingcomputer.com/news/security/github-comments-abused-to-push-malware-via-microsoft-repo-urls/

GitHub comments abused to push malware via Microsoft repo URLs attachment image

A GitHub flaw, or possibly a design decision, is being abused by threat actors to distribute malware using URLs associated with a Microsoft repository, making the files appear trustworthy.

Erik Osterman (Cloud Posse)

11:51:16 PM

Wow, such a clever hack. Wouldn’t have thought twice. How has this taken so long to get abused?!

GitHub comments abused to push malware via Microsoft repo URLs attachment image

A GitHub flaw, or possibly a design decision, is being abused by threat actors to distribute malware using URLs associated with a Microsoft repository, making the files appear trustworthy.