Malicious XZ Attack Planned for Years
The malicious code recently discovered in versions 5.6.0 and 5.6.1 of XZ Utils “appears to be the product of a carefully crafted supply chain attack that took several years to set up,” reports Lindsey O’Donnell-Welch.
“xz is a general purpose data compression format present in nearly every Linux distribution, both community projects and commercial product distributions, according to the Red Hat security alert issued March 29.
The code (CVE-2024-3094), found by Microsoft software engineer Andres Freund, could allow attackers to break sshd authentication and gain unauthorized access to impacted systems.
“It's hard to overstate the complexity of the social engineering and the inner workings of the backdoor,” notes Dan Goodin. But this graphic from Thomas Roccia helps visualize the extent of the efforts.
Read more at Duo Decipher and Ars Technica.
Related content
- Attackers Use PRoot to Expand Scope of Linux Attacks
-
Cyber security for the weakest link
The balance between IT threats and IT security is woefully unbalanced in a Windows environment, requiring the enforcement of company-wide security standards. -
Countering embedded malware attacks
With the resurgence of sophisticated macro virus attacks, new countermeasures are in order. We offer a few recommendations. - New Techniques Predict Malicious Domain Names
-
Distributed denial of service attacks from and against the cloud
In some particularly sophisticated DDoS attacks, the attackers rely on and target the cloud, allowing attackers to work around conventional defense mechanisms. We explain how a DDoS attack in the cloud works, and how you can defend against it.