Last year, JC Herz and his team at cybersecurity firm Exiger discovered vulnerabilities in open source software for federal systems that interact with a trove of sensitive government data. They immediately alerted system owners and defense officials connected to the intelligence community and the Department of Defense.
The vulnerability was not in the system's code, but literally the maintainer who sent the commitment to the system was a single Russian government employee.
“If this had been compromised, it would have been front page news everywhere,” said Hertz, SVP of Exigar's cyber supply chain group. Her experience highlighted the dangers of accidentally letting the wrong person into a sensitive open source system. Why introduce code that circumvents your network's security protocols and risks getting caught when you can play the long game and eventually gain access to everything inside?
Another chapter in the same story, this time featuring tools used far beyond a single government agency.
The deeply embedded Linux vulnerability that alarmed the open source community last week has been secretly planned for years, and the organization behind the operation has strong ties to nation-state hackers. said Hertz and other analysts.
Malicious attackers inserted a flaw in XZ Utils, a widely used Linux file compression and transfer feature, in mid-to-late February. It included a self-installation script to embed malicious code into retail versions of Ubuntu, a Linux distribution used by major companies such as Instacart, Slack, and Robinhood.
Open source code is ubiquitous in commercial systems. Synopsys' 2024 Open Source Security and Risk Analysis Report found that more than 96% of over 1,000 commercial codebases have open source components, and 84% of those contain at least one known vulnerability. got it.
Because the tool is open source, we rely on contributions from community members to keep it up to date with patches and contributions. Updates are frequently discussed on forums attended by volunteer software maintainers, who chat with each other about proposed changes.
A user known as “Jia Tan” — who has been contributing to the open source community for years — reported a bug on March 28, requesting that the version of the software that contained the malicious code be updated. Justified fixing the problem in Debian. It is another Linux distribution that provides an operating system that is free to use by the community. The issue was discovered last week by Microsoft engineer Andres Freund and quickly discovered by the rest of his Linux community. sounded the alarm.
“This requires the kind of investment you typically only see from nation-state actors,” said Cyrus Cutler, an espionage malware analyst and senior director of cyber threat research at the Security Technology Institute. “They had an incredibly good technical understanding. [XL] library. “
for a long time
If backdoors were allowed to spread, the open source Linux ecosystem could be primed for exploitation. The targeted mechanism was a Secure Shell (SSH) tool that compresses and scrambles data sent over the connection. The exploited vulnerability could allow a malicious attacker to bypass the authentication protocols used by her SSH process, potentially gaining access to the entire system.
The entity held a “skeletal key to the world” and would have been able to “traverse vast amounts of the internet without any barriers in front of it,” Cutler said.
Jia Tan, who also goes by the username “JiaT75,” has been contributing to the XZ developer community since at least 2022, according to Bitdefender analysis.The account he created in 2021 and took several years building trust Along with other contributors.
Around March 9th, a user added code with a hidden backdoor. When this code is triggered, it interferes with the tool and allows access to systems used by XZ Util without authentication. Martin Zugec, director of technical solutions at Bitdefender, said the move appears to have been a “well-planned, multi-year attack” and may have been assisted by hackers with ties to nation-state groups.
It is very likely that Jia Tan was not a single entity acting alone, Hertz said.
“This is an identity created with the purpose of taking action, and our data suggests that there were also decoy actors created around the same time to corroborate or support this attack,” she said. Ta.
Eyes on the target
Chris Stangl, a former FBI cyber division agent who helped investigate the Log4J vulnerability that emerged in late 2021, said it's very likely law enforcement is investigating the incident.
“I can assure you that CISA and the FBI are looking into this matter to ensure this never happens again, and are asking what guidance will be disseminated and what the motives of those involved are.” ,” said Stangl, who is now in a management position. Director of consulting company BRG.
Ami Luttwak, chief technology officer of cloud security company Wiz, said investigators analyzed the update code deployed by Jia Tan and related users and confirmed links to other national hacker groups. He said that it is possible.
Jia Tan carefully uploaded code updates during her tenure as a fake contributor. Some of them take place during business hours in China, while other times appear to represent Europe. After all, it may not be possible to determine their exact origins in the near future, Luttwak added.
“The only thing we know is that the email that was used exists,” he said. “And that's part of the challenge with open source. You don't really know who's behind it.”
“We are deeply focused on open source security issues in general and are working with our partners to better understand the issues with XZ Utils,” said Eric Goldstein, CISA's Executive Assistant Director for Cybersecurity. ” he said. Nextgov/FCW On the sidelines of Thursday's International Association of Privacy Professionals conference.An agency spokesperson mentioned Nextgov/FCW Respond to advance warning regarding this incident.
The NSA and the Office of the Director of National Intelligence declined to comment. An FBI spokesperson also declined to comment, saying “we cannot confirm or deny the existence” of an investigation.
open source crack
The incident likely galvanizes conversations on Capitol Hill and in the intelligence community about the risks and tradeoffs of freely accessible software.
Linux events in particular present a double-edged sword debate in open source security. A fraudulent user introduced a malicious version of the tool and attempted to use it widely, but genuine contributors were able to trample it before things got too serious. .
Stangl said this was a win for the open source community, but lawmakers need to figure out how to further engage companies and developers to better manage the product development lifecycle and the code used in sensitive systems. He said it might be considered.
“This should be a wake-up call to software developers and open source about how they vet contributors,” he said. “What are they doing up front to ensure safety? What are their code reviews like?”
But some are concerned that the incident may cast open source in a bad light. “I'm concerned that this is an opportunity for people to impose regulations that aren't necessarily in the best interest of open source,” Cutler said.