#security (2024-04)
Archive: https://archive.sweetops.com/security/
2024-04-04
![Hao Wang avatar](https://secure.gravatar.com/avatar/aa01de6ab42f1576bbb56a203c660939.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
![Hao Wang avatar](https://secure.gravatar.com/avatar/aa01de6ab42f1576bbb56a203c660939.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
thanks to this gentleman, “the distros are built from released tar files but not from source codes”
![Hao Wang avatar](https://secure.gravatar.com/avatar/aa01de6ab42f1576bbb56a203c660939.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
one of the reasons that xz cve happened (even though it is not the main reason, but a reminder)
![Hao Wang avatar](https://secure.gravatar.com/avatar/aa01de6ab42f1576bbb56a203c660939.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
there will be more similar cves got disclosed, just a feeling
2024-04-06
![Hao Wang avatar](https://secure.gravatar.com/avatar/aa01de6ab42f1576bbb56a203c660939.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
![attachment image](https://isovalent.com/static/ac45482712971bfdc35230f94c06bd90/fcb2f/XZ-Utils-CVE-social-cover.jpg)
Detecting XZ Utils liblzma CVE 2024-3094 backdoor exploit with Tetragon and eBPF. Includes ready to apply yaml policy.
![Hao Wang avatar](https://secure.gravatar.com/avatar/aa01de6ab42f1576bbb56a203c660939.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
the person behind the hack should know kernel very well, the bash script reminds me the booting codes of Linux kernel
![attachment image](https://isovalent.com/static/ac45482712971bfdc35230f94c06bd90/fcb2f/XZ-Utils-CVE-social-cover.jpg)
Detecting XZ Utils liblzma CVE 2024-3094 backdoor exploit with Tetragon and eBPF. Includes ready to apply yaml policy.
![Hao Wang avatar](https://secure.gravatar.com/avatar/aa01de6ab42f1576bbb56a203c660939.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
The open-source project owners who are experiencing mental health issues are the targets of social engineering
![this](/assets/images/custom_emojis/this.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I don’t even think it requires “mental health” issues.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
There’s a classic post about what it’s like to be an open-source maintainer. It can take some thick skin to be successful at it. Of course, it’s only exasperated by mental health issues, and there are so many trolls out there. Anyone with a penchant for pleasing others, those who have trouble saying “no,” or generally trusting individuals are all susceptible to this kind of attack.
https://nolanlawson.com/2017/03/05/what-it-feels-like-to-be-an-open-source-maintainer/
Outside your door stands a line of a few hundred people. They are patiently waiting for you to answer their questions, complaints, pull requests, and feature requests. You want to help all of them,…
![Hao Wang avatar](https://secure.gravatar.com/avatar/aa01de6ab42f1576bbb56a203c660939.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
just a reminder from long time observation, they are very very low…
![Hao Wang avatar](https://secure.gravatar.com/avatar/aa01de6ab42f1576bbb56a203c660939.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
when this xz happened at the first time, I got a question on my mind, the English commit messages are so fluent, https://research.swtch.com/xz-timeline. Did the xz owner Lasse Collin
talked to Jia Tan
before, either face to face or voice? Did anyone know Lasse Collin
or see him before? When did ssh include liblzma?
![Hao Wang avatar](https://secure.gravatar.com/avatar/aa01de6ab42f1576bbb56a203c660939.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
Posted by u/captainpenguin7 - 8 votes and 7 comments
![Hao Wang avatar](https://secure.gravatar.com/avatar/aa01de6ab42f1576bbb56a203c660939.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
libsystemd does depend on lzma
, does this mean systemd is hacked?
![Hao Wang avatar](https://secure.gravatar.com/avatar/aa01de6ab42f1576bbb56a203c660939.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
I’m watching some folks reverse engineer the xz backdoor, sharing some preliminary analysis with permission.
The hooked RSA_public_decrypt verifies a signature on the server’s host key by a fixed Ed448 key, and then passes a payload to system().
It’s RCE, not auth bypass, and gated/unreplayable.
[contains quote post or other embedded content]
![Hao Wang avatar](https://secure.gravatar.com/avatar/aa01de6ab42f1576bbb56a203c660939.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
![attachment image](https://pbs.twimg.com/media/GKgTF0wXEAEJt8C.png:large)
the xz sshd backdoor rabbithole goes quite a bit deeper. I was just able to trigger some harder to reach functionality of the backdoor. there’s still more to explore.. 1/n
![Hao Wang avatar](https://secure.gravatar.com/avatar/aa01de6ab42f1576bbb56a203c660939.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
![attachment image](https://pbs.twimg.com/media/GJ7R8XDWUAALFG_.png:large)
I’ve been looking into how the xz backdoor works and drew this sketch to make it easier to understand. I’ll update it as new information comes to light
![Hao Wang avatar](https://secure.gravatar.com/avatar/aa01de6ab42f1576bbb56a203c660939.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
![attachment image](https://www.zdnet.com/a/img/resize/2ba98fc180470be6e4d16878c55efec1e69337e1/2024/04/05/0b16c315-a466-4d2c-9c1f-692593beaa62/backdoor-gettyimages-823310866.jpg?auto=webp&fit=crop&height=675&width=1200)
For the first time, an open-source maintainer put malware into a key Linux utility. We’re still not sure who or why - but here’s what you can do about it.
![Hao Wang avatar](https://secure.gravatar.com/avatar/aa01de6ab42f1576bbb56a203c660939.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
![attachment image](https://pbs.twimg.com/media/GKpa_d8W4AASZuf.png:large)
some people asked for the code .. so I decided to quickly refactor my scrappy paramiko script and turned it into an ssh agent implementation that works with a vanilla openssh client that has a single line patched out. https://t.co/93Y7Ha3V8N
![Hao Wang avatar](https://secure.gravatar.com/avatar/aa01de6ab42f1576bbb56a203c660939.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
![attachment image](https://pbs.twimg.com/media/GKgTF0wXEAEJt8C.png:large)
the xz sshd backdoor rabbithole goes quite a bit deeper. I was just able to trigger some harder to reach functionality of the backdoor. there’s still more to explore.. 1/n
![Hao Wang avatar](https://secure.gravatar.com/avatar/aa01de6ab42f1576bbb56a203c660939.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
![attachment image](https://www.datocms-assets.com/75231/1711749237-screenshot-2024-03-30-at-0-53-44.png?fm=webp)
CVE-2024-3094 is a malicious code vulnerability in versions 5.6.0 and 5.6.1 of XZ Utils, enabling an SSH authentication bypass in certain Linux distributions
![Hao Wang avatar](https://secure.gravatar.com/avatar/aa01de6ab42f1576bbb56a203c660939.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
![Hao Wang avatar](https://secure.gravatar.com/avatar/aa01de6ab42f1576bbb56a203c660939.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
![attachment image](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11172300/sl-backdoor-keyhole-binary-malicious-actor-scaled.jpg)
Kaspersky analysis of the backdoor recently found in XZ, which is used in many popular Linux distributions and in OpenSSH server process.
![Hao Wang avatar](https://secure.gravatar.com/avatar/aa01de6ab42f1576bbb56a203c660939.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
![attachment image](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGsdWIC0s_DJ_5WcgDaX_hO4kFcYfxmwpNRLIebQdnNlUC1kEgq20Lzlvn-rOPDZBWpt8ZN7KtRxlPGChMha4BKAVJr6XZczzUY5q-LUc4P5XByCXS6YvpuNZTqNboMS4F3NJ3LwHwJjRWUlcoYIEppm6cIrKQsd63wQ1Gg1ARAz4e4MAE243G1OzmEvtO/s728-rw-e365/hack.png)
Malicious “test files” linked to the XZ Utils backdoor found in popular Rust crate liblzma-sys, downloaded over 21,000 times.
2024-04-07
2024-04-08
2024-04-09
2024-04-11
![Hao Wang avatar](https://secure.gravatar.com/avatar/aa01de6ab42f1576bbb56a203c660939.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
Why CISA is Warning CISOs About a Breach at Sisense
![Hao Wang avatar](https://secure.gravatar.com/avatar/aa01de6ab42f1576bbb56a203c660939.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach at business intelligence company Sisense, whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard.…
2024-04-12
2024-04-15
2024-04-16
![Hao Wang avatar](https://secure.gravatar.com/avatar/aa01de6ab42f1576bbb56a203c660939.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
Another social engineering takeover attempt
: https://therecord.media/researchers-stop-credible-takeover-xz-utils
![attachment image](https://cms.therecord.media/uploads/format_webp/joan_gamell_ZS_67i1_H_Lllo_unsplash_b459cc23bf.jpg)
The thwarted social engineering attempts highlight the urgent need to address weaknesses in the management of open source software.
![fb-wow](/assets/images/custom_emojis/fb-wow.gif)
2024-04-22
![venkata.mutyala avatar](https://avatars.slack-edge.com/2022-01-10/2935964026964_e3525ee61170d7dc3198_72.png)
![attachment image](https://www.bleepstatic.com/content/hl-images/2021/05/10/GitHub-headpic.jpg)
A GitHub flaw, or possibly a design decision, is being abused by threat actors to distribute malware using URLs associated with a Microsoft repository, making the files appear trustworthy.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Wow, such a clever hack. Wouldn’t have thought twice. How has this taken so long to get abused?!
![attachment image](https://www.bleepstatic.com/content/hl-images/2021/05/10/GitHub-headpic.jpg)
A GitHub flaw, or possibly a design decision, is being abused by threat actors to distribute malware using URLs associated with a Microsoft repository, making the files appear trustworthy.