Maria HochMar 31, 2024
Thomas Roccia 

🤯 The level of sophistication of the XZ attack is very impressive! I tried to make sense of the analysis in a single page (which was quite complicated)!

I hope it helps to make sense of the information out there. Please treat the information "as is" while the analysis progresses! 🧐 #infosec #xz

Mar 31, 2024 at 7:57amWeb
Show threadEnthalpisteMar 31, 2024

@fr0gger Wait a minute, do I get this correctly, they were checking and getting infos on the systems by changing some invisible characters in a filed they compressed, and made a bash script out of it that included the backdoor at compile time?

Or is it really too complicated for my dumb brain?

Show threadRotanMar 31, 2024

@Bibobu @fr0gger

The complexity is easier to understand if you examine the steps in reverse order. Once you've devised a working step N you can focus on step N-1. It's an onion layer of subtleties for sure, but no individual step is exceptionally complex.

Show threadWinter TrabexMar 31, 2024

@fr0gger

This seems incredibly complicated. What was the purpose of making so many bad things?

Show threadColin WatsonMar 31, 2024
@trabex @fr0gger ultimately, to construct a back door in the SSH service that would let the attackers execute unauthorized code on systems with the compromised library installed
Show threadLRMar 31, 2024

@fr0gger god damn autoconf. it's so arcane that nobody thinks a bunch of extra seds and awks are weird

very nice diagram, thank you

Show threadJohn LuskApr 1, 2024

@lritter @fr0gger

This, but also, it was hidden in a file that was .gitignore'd?

Show threadHippo 🍉Mar 31, 2024

@fr0gger well, this lays things out more easily for me than a plain blog post would have! Thanks 🖼️

(And yes, I'm treating it with the appropriate pinch of salt as requested)

Show threadGödel Escher Spock🦿Mar 31, 2024
@fr0gger Awesomesauce! Thanks for the explainer.
Show threadCalisti 🏳️‍🌈🦇 — 🪩✨ 39c3Mar 31, 2024
@fr0gger this is really well done!
Show threadDianora (Diane Bruce)Mar 31, 2024
@fr0gger It was. One has to wonder about just which country was behind it. Very sophisticated, slow and careful attack.
Show threadMohamedMar 31, 2024
@fr0gger The timeline (3 years) and sophistication 'seem' to indicate that the threat actor is a nation state with advanced #infosec capabilities.
Show threadwaldiMar 31, 2024
@kentoseth @fr0gger And in the end they got sloppy. The backdoor needed to reach Ubuntu in time for the next stable release. The delivery mechanism will not work for much longer.
Show threadBobulous  Mar 31, 2024
@fr0gger This is almost as complicated and requires almost as much effort as the Easter eggs in Battlefield 4.
Show threadlynxisMar 31, 2024
@fr0gger what a great picture! Would it be possible to add "only add backdoor if debian or RPM"
Show threadyoxemMar 31, 2024
@fr0gger As a sinophone, it's discussed which country is the software-poisoning user from.

Jin Cheong Tan is not considered a widely used spelling of China citizen and Taiwanese's name. I think that it's more possibly from SE Asia chinese descendants' one, but it may be a combination from arbitrary-chosen syllables in Sinitic languages.
Show threadRolf Steinort (314.8 ppm)Mar 31, 2024
@yoxem @fr0gger Or it’s just a red herring to let us look into Asia.
Show threadPeter BindelsApr 4, 2024

@rstein @yoxem @fr0gger Same as their logged IP which was in Singapore.

And known to be of a VPN host.

Show threadphonxApr 14, 2024

@yoxem @fr0gger

Jin is Korea surname more than Chinese

Show threadMatt CampbellMar 31, 2024
@fr0gger Thank you for your work on this. Would you be able to add a description to the image for the benefit of blind people? Thanks again.
Show threadQuinn NortonMar 31, 2024
@fr0gger woooooow
Show threadFugue State Machine MotoMar 31, 2024

@fr0gger @blogdiva This is some badass technical communication. I was so impressed I felt obliged to check out OP’s profile.

Oh. Well I guess that makes sense then. 🫡

Show threadCintagonIsUpsetMar 31, 2024
@[email protected] 
Show threadGabbo the wafrn dev guyMar 31, 2024

@CintagonIsUpset @[email protected] I need to add a thing to not allow "empty replies" sorry

#skill-issue-on-my-side
Show threadkira :3Mar 31, 2024
@fr0gger thanks, i was really hoping somebody would give an overview of the entire thing. this is fascinating
Show threadDaniel BöhmerMar 31, 2024
@fr0gger Could you add a licence info to the image like #CreativeCommons to allow legal sharing under known conditions?
Show threadDaniel BöhmerMar 31, 2024
@fr0gger The "&" sign used twice in the bottom left corner seems to have lower font size or is especially hard to read in the chosen font. If you update the image, maybe improve the readability there?
Show threadDaniel BöhmerMar 31, 2024
@fr0gger I think I understood the attack so far that the #xz binary would later infect #OpenSSH to make it vulnerable to #RemoteCodeExecution. Am I wrong or could you extend the chart with that mechanism? That'd be great!
Show threadWladimir PalantMar 31, 2024

@dboehmer This isn’t about the xz binary at all. The repository in question contains the source code of both the xz binary and liblzma. OpenSSH on some Linux distributions has liblzma as a dependency (via some intermediates). That’s how the backdoor made it into the OpenSSH process where it could compromise its functionality.

@fr0gger

Show threadMichael Jaeger 🇺🇦Apr 1, 2024

@dboehmer
As far as I understood it, this is correct. The sshd binary is patched by #xz in a way that if one authenticates with a dedicated key, then the payload is passed to a `system()` call, i.e., enabling an RCE.
@fr0gger

Edit: However, this seems to happen only under certain circumstances (e.g. Linux systems, Intel architecture, no debugging enabled).

Show threadCarsten IgelMar 31, 2024
@fr0gger This is really impressive. If it wouldn't be so desastruous, I would applaud him.
Show threadIsu 🐲Mar 31, 2024

@fr0gger When telling people that doing $potentially_insecure_thing is potentially insecure, I get that "OH, Isu, y'know, that sounds very farfetched, who'd ever go to such lengths just to interfere with my project? You're always overcomplicating things with your perfectionism!" look. In the future, I will send them this.

(Yes, I am aware of the fact that even a thousand such examples would not convince people. People need to get owned themselves and held responsible for it to induce change.)

Show threadMartin Schröder 🇺🇳Mar 31, 2024
@fr0gger Thanks. But PLEASE use a better font (this looks too much like Comic Sans and is not very legible).
Show threadJohn LuskApr 1, 2024

@oneiros @fr0gger

Ya know what? I didn't have any trouble reading it and didn't even notice the font, really.

I think it's fine.

Show threadBen Haylock Mar 31, 2024
@fr0gger Have any delivered/executed pieces of RCE been captured yet?
Show threadTheCityDweller Apr 1, 2024
@fr0gger That is excellent! Thank you!
Show threadDasMammutApr 1, 2024
@toor @fr0gger The attack is really clever and makes me wonder whether it was the first and only of this kind 🤔
Show threadLe Néandertal se sent las, lasApr 1, 2024
@fr0gger is there any other known example of malicious code using this kind of mechanism?
Show threadTurnimatorApr 1, 2024
@fr0gger I'm using OpenSUSE Tumbleweed and I've been doing updates all morning. Thanks for keeping us up-to-date!
Show threadFreevoltApr 1, 2024
@fr0gger After roughly understanding the whole picture of this shenanigan, I feel that it's mostly social engineering.
Show threadJonasApr 1, 2024
@fr0gger
Thanks for the overview. Would you be ok with a French translation of your poster (fully credited of course)?
Show threadThomas Roccia Apr 3, 2024
@magnetic_tape oui aucun problème
Show threadJonasApr 3, 2024
@fr0gger Do you have the source file maybe for a cleaner output? If not I'll edit the jpeg
Show threadgamer191Apr 1, 2024
@fr0gger I don't see any changes to the .gitignore files on the 16 feb. Are you referring to this commit (https://git.tukaani.org/?p=xz.git;a=commit;h=eb8ad59e9bab32a8d655796afd39597ea6dcc64d) on the 26 feb?
Show threadMartin BeApr 1, 2024
@fr0gger And now such an dumbass dude plays "mentally unstable/psychic sick" person to avoid being arrested, prosecuted and jailed. Nice crap! 👍 😁
Show threadspeaker_hatApr 1, 2024

@fr0gger

Whoever is interesting in browsing the repository, after GitHub took it down, it can be found here:

https://web.archive.org/web/20240328130125/https://github.com/tukaani-project/xz

GitHub - tukaani-project/xz: XZ Utils

XZ Utils. Contribute to tukaani-project/xz development by creating an account on GitHub.

GitHub
Show threadJ. R. DePriest    :EA DATA. SF:Apr 1, 2024
@fr0gger This is lovely. I'm sharing that internally.
Show threadpinkdrunkenelephantsApr 2, 2024
@fr0gger Someone went full motherfucking cartoon supervillain on Linux, what the fuck?
Show threadSkyrApr 2, 2024
@fr0gger excellent diagram, thank you!
Show threadJack HenschelApr 3, 2024
@fr0gger Very nice graphics! Which tool did you use?
Show threadLars Marowsky-Brée 😷Apr 4, 2024

@fr0gger This is an outstanding visualization, it'd have made a great science fair poster!

(Seriously though, thank you.)

Show threadThomas Roccia Apr 5, 2024
@larsmb Send me a picture if you do it 😍