The positioning of a deeply-embedded Linux vulnerability that set off alarms in the open-source community this past week was covertly planned for years, and the entity involved in the maneuver has strong ties to nation-state hackers, cybersecurity analysts say. Via Federal Tech Today:
A malicious actor planted the flaw into XZ Utils, a widely used Linux file compression and transfer capability, sometime around mid to late February. It contained a self-installation script that would have enabled the malign code to plant itself into production versions of Ubuntu, a Linux distribution used by major companies like Instacart, Slack and Robinhood.
[…] Because the tool is open-source, it relies on contributions from community members who keep it up to date with patches and contributions. The updates are often discussed on forums with voluntary software maintainers, who chat with one another about proposed changes.
A user known as “Jia Tan” — who had been contributing to that open source community for years — reported a bug March 28 requesting that the version of the software be updated with the malign code tucked inside, justifying it would fix issues in Debian, another Linux distribution whose community provides a free-to-use operating system. It was caught by Microsoft engineer Andres Freund last week, and other Linux communities soon sounded the alarm.
Experts say it was the kind of long-term investment you typically only see from nation-state actors. If the code hadn’t been caught by the open source community, hackers would have had “a skeleton key to the world.” Eek.
