The thwarted XZ Utils supply chain attack was years in the making. Now, clues suggest nation-state hackers were behind the persona that inserted the malicious code.
On March 29, right before Easter weekend, we received notifications about something unusual happening with the open-source project XZ Utils, which provides lossless data compression on virtually all Unix-like operating systems, including Linux.
The initial warning was sent to the Open Source Security mailing list sent by Andres Freund, who discovered that XZ Utils versions 5.6.0 and 5.6.1 are impacted by a backdoor. A few hours later, the US government’s CISA and OpenSSF warned about a critical problem: an installed XZ backdoored version could lead to unauthorized remote access.
A threat activity cluster tracked as Earth Freybug has been observed using a new malware called UNAPIMON to fly under the radar.
"Earth Freybug is a cyberthreat group that has been active since at least 2012 that focuses on espionage and financially motivated activities," Trend Micro security researcher Christopher So said in a report published today.
Google has fixed two Google Pixel zero-days exploited by forensic firms to unlock phones without a PIN and gain access to the data stored within them.
Let’s Encrypt is proud to introduce Sunlight, a new implementation of a Certificate Transparency log that we built from the ground up with modern Web PKI opportunities and constraints in mind. In partnership with Filippo Valsorda, who led the design and implementation, we incorporated feedback from the broader transparency logging community, including the Chrome and TrustFabric teams at Google, the Sigsum project, and other CT log and monitor operators. Their insights have been instrumental in shaping the project’s direction.
tl;dr – Apache Software Foundation, Blender Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, Rust Foundation, and Eclipse Foundation are jointly announcing…
Andres Freund published the existence of the xz attack on 2024-03-29 to the public oss-security@openwall mailing list. The day before, he alerted Debian security and the (private) distros@openwall list. In his mail, he says that he dug into this after “observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors).”
At a high level, the attack is split in two pieces: a shell script and an object file. There is an injection of shell code during configure, which injects the shell code into make. The shell code during make adds the object file to the build. This post examines the shell script. (See also my timeline post.)
notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094) - amlweems/xzbot
A secret program called "Project Ghostbusters" saw Facebook devise a way to intercept and decrypt the encrypted network traffic of Snapchat users to study their behavior.
Malicious updates made to a ubiquitous tool were a few weeks away from going mainstream.
The Putin regime conducts large-scale propaganda not only through its state media but also through “useful idiots,” who focus on demonizing the US, EU, and NATO and have right- or left-wing views. New “multilingual international media” have emerged that write in a way that suits the Kremlin and spread pro-Russian narratives and disinformation, replacing Russia Today and Sputnik, which have received a ban in Europe.
Jamf Threat Labs dissects ongoing infostealer attacks targeting macOS users. Each with different means of compromising victim’s Macs but with similar aims: to steal sensitive user data.
In 2023, threat actors continued to exploit a variety of vulnerabilities — both newly discovered weaknesses and unresolved issues — to carry out sophisticated attacks on global organizations. The number of documented software vulnerabilities continued to rise, and threat actors were quick to capitalize on new vulnerabilities and leverage recent releases of publicly available vulnerability research and exploit code to target entities. However, while there was a high number of vulnerabilities released in the reporting period, only a handful actually were weaponized in attacks. The ones of most interest are those that threat actors use for exploitation. In this report, we’ll analyze the numbers and types of vulnerabilities in 2023 with a view to understanding attack trends and how organizations can better defend themselves.
This year, we’ve partnered with Sucuri. With both of our data combined, we can cover the entire timeline of security incidents from the vulnerability being found to the point where malware infection gets detected on a vulnerable website.
2023 was another record year of new vulnerabilities being discovered and fixed in the WordPress ecosystem. In 2023, we added 5,948 new vulnerabilities to the Patchstack vulnerability database. That’s 24% more than in 2022.
Claro Company, the largest telecom operator in Central and South America, disclosed being hit by ransomware. Representatives shared this information in response to the service disruptions in several regions. From the ransom note it becomes clear that the attackers are Trigona ransomware.
CVE-2024-3094 is the new hot one and it’s extremely critical; however, impact should be limited as most normal linux distros are unaffected. Here’s some stuff to know:
esterday Andres Freund emailed oss-security@ informing the community of the discovery of a backdoor in xz/liblzma, which affected OpenSSH server (huge respect for noticing and investigating this). Andres' email is an amazing summary of the whole drama, so I'll skip that. While admittedly most juicy and interesting part is the obfuscated binary with the backdoor, the part that caught my attention – and what this blogpost is about – is the initial part in bash and the simple-but-clever obfuscation methods used there. Note that this isn't a full description of what the bash stages do, but rather a write down of how each stage is obfuscated and extracted.
Disappearance of sensitive files of top law enforcement officials has sparked a crisis at Europol.
