Mastodawn

An interesting thing about the XZ sabotage is that, while it was very cleverly obfuscated (congratulations to Andres Freund for finding it!), once found, it is very clear that it's a deliberate backdoor. It can't be explained away as an ordinary bug that introduced a vulnerability.

Says something about the tradeoff space the attacker was working in.

Matt Blaze Mar 31, 2024

Another notable thing: the backdoor, as far as I've been able to glean, is "NOBUS" ("nobody but us"), requiring knowledge of not just the existence of the backdoor, but also a secret key, to exploit. NOBUS backdoors would be very hard to camouflage as innocent bugs, so that could explain why the attacker chose this risky approach.

But that raises the question of why they wanted a NOBUS backdoor. A state actor trying to limit colateral risks would likely care about this.

Matt Blaze Apr 4, 2024

(continuing on my thread from last week on the XZ)

The XZ compromise is getting a lot of attention for two (entirely reasonable) reasons: It backdoors an obviously important service (ssh) and it's clearly a malicious, deliberate act of sabotage, unable to be explained away as an ordinary bug. The latter is likely, as I mentioned earlier, because the attacker wanted to introduce a NOBUS backdoor, which is harder to camouflage as a careless bug.

So that raises another question...

Matt Blaze Apr 4, 2024

We have no real idea how common a threat malicious developers in open source or inside proprietary systems actually are.

State actors would likely prefer NOBUS backdoors, especially in systems they themselves use, but it seems reasonable to assume that in many cases they'd happily settle for subtle general vulnerabilities that they know about from day one. And those are easy to ignore, since ALL developers introduce bugs in their code.

How many are put there on someone's behalf?

mmzeeman Apr 4, 2024

@mattblaze Import question. Is it important enough to get good estimate?

Noah Cook Apr 4, 2024

@mattblaze I wonder if the principle might be more general than just NOBUS attacks? The more something resembles a good-faith bug, the more likely it is to behave like a bug and return some unexpected result. Unexpected results make some random guy debugging a home system go "hmmmm". As we just witnessed.

Would it matter if the attacker(s) cared about burning the identity involved? Krebs mentioned that this case involved very good opsec. The identities were phantoms from the beginning.

Raven667 Mar 31, 2024

@mattblaze does that rule out Russians, because they don't give a shit about collateral damage 😁. More likely NSA or maybe China, Israel? Who else has programs that are decent and cares about collateral damage?

BenAveling Mar 31, 2024

@raven667 @mattblaze this is an RCE. No one wants anyone else getting at ‘their’ RCE.

Robin Adams Mar 31, 2024

@raven667 @mattblaze This person did a bit of detective work. "Jia Tan" wants us to think they're Chinese (the name, and they use time zone UTC+8 for their commits when they don't forget), but the pattern of when they were active suggests somebody in Eastern Europe working Monday-Friday 9am-6pm.

https://rheaeve.substack.com/p/xz-backdoor-times-damned-times-and

XZ Backdoor: Times, damned times, and scams

Some timezone observations on the recently discovered backdoor hidden in an xz tarball.

Rhea's Substack

Aaron Davis Apr 4, 2024

@raven667 @mattblaze I wouldn't be surprised if it was China.

@mattblaze The part that I can’t get over is that the parts they were obviously optimizing for — the obfuscation and social engineering and even the extensible binary payload system — worked. The only reason this was caught was a performance bug: something that was likely a mistake or oversight rather than a calculated risk.

AndresFreundTec Mar 31, 2024

@mattblaze Even if you don't care about collateral harm, with something like a backdoor in ssh, it just seem too likely you'd otherwise accidentally make yourself vulnerable too, somewhere in your org.

Matt Blaze Mar 31, 2024

@AndresFreundTec yes, that’s what I mean by collateral risk here. Easy to shoot yourselves in the foot with a general vulnerability.

Great work, by the way!

[email protected]Apr 2, 2024

@mattblaze But would a state actor trying to limit collateral risks sabotage the sandboxing?
I still find that this code change looks odd compared to the rest.

gary Mar 31, 2024

@mattblaze I heard through the grapevine that this was no ordinary attack and was highly 'sophisticated' - no doubt

gary Mar 31, 2024

@mattblaze i look forward to reading more analysis and finding out what the real motivations and intent with xz attack were - it is still pretty new ioc and i don't think we know all the sordid details and real reason - it wasn't just some random depressed maintainer at work - at least that is what initial indications seem to suggest #dfir

Florian Haas Mar 31, 2024

@mattblaze I am not an infosec specialist so I'm unfamiliar with what's meant by "the trade-off space" in this context; could you elaborate on that?

Florian Idelberger Mar 31, 2024

@xahteiwi @mattblaze as I understand it, that they couldn’t work with sth more subtle, for whatever reason, likely some kind of tradeoff to satisfy other objectives.

Alexander The 1st Mar 31, 2024

@fl0_id @xahteiwi @mattblaze Also probably in how they had to choose between obfuscating versus looking like an oversight, like HeartBleed's underflow ( https://youtu.be/rE5dW3BTpn4?si=9ZE5-F1gLz7FcQr8 ).

In comparison versus, say pulling a Dual Elliptic Curve ( https://youtu.be/nybVFJVXbww?si=xWfpgg9In7GSWk5m ), where the potential for a backdoor was sort of presumed in the design by people reviewing the implementation.

From Missingno to Heartbleed: Buffer Exploits and Buffer Overflows

YouTube

Dan Riley Mar 31, 2024

@mattblaze The implication (which you know, of course) is that the identity used to implement the backdoor had low value beyond this hack. It was targeted, and it wasn't used for much else. I guess a secondary implication is that the actors believe they've covered their tracks, so it will be difficult to tie the accounts to any further actors.

Matt Blaze Mar 31, 2024

@dan131riley Yes. Also, that the goal was rather specific, not merely "introduce a bunch of vulnerabilities".

Dan Riley Mar 31, 2024

@mattblaze "rather specific" is an understatement. This appears to be very, very specifically targeted. Blind luck seems improbable.

Noah Cook Mar 31, 2024

@mattblaze You're one of the first I've seen to analyze this in terms of the adversary's constraints. I am not a computer scientist, but in terms of constraints, resources, and targeting, this doesn't "feel" like a state actor.

So, this is highly targeted, and the social engineering tactics seemed personal. You're not getting that from a committee. And it was a long game, which would have meant supervisors coming and going, changes in priority, etc in government.

Matt Blaze Mar 31, 2024

@UncivilServant is disagree that that’s inconsistent with a state actor. Personalized, long game infiltration is how spies and HUMINT has always worked.

Noah Cook Mar 31, 2024

@mattblaze Ah, is that part of why intelligence types complain that the rest of the government keeps giving them side-eye?

Because yeah, that sort of unprofessional obsession...huh, Le Carré really wasn't exaggerating if that's how they act.

ShutterBugged Mar 31, 2024

@UncivilServant @mattblaze Your assumptions reflect a politician. Intelligence agencies are very insulated/deliberate and so a state-sponsored spy is a very different animal.

skry Mar 31, 2024

@UncivilServant @mattblaze
@GossiTheDog has an insightful article here: https://medium.com/doublepulsar/inside-the-failed-attempt-to-backdoor-ssh-globally-that-got-caught-by-chance-bbfe628fafdd

Inside the failed attempt to backdoor SSH globally — that got caught by chance

What happened here is now well documented elsewhere, so I shall not recap it much, but essentially somebody appears to have hijacked the open source XZ project by social engineering the volunteer…

DoublePulsar