Email or username:

Password:

Forgot your password?
Tinker ☀️

Put yourself in Jia Tan's shoes, the malicious contributor to the xz backdoor...

It's been, what, two... three?... years since you started this campaign. You've had the entire support of your team and of your chain of command.

Your coders created a complex and sublime backdoor. A secure! backdoor that only you and your team could connect to. Heck it can even be deleted remotely. This is clean code. A responsible hack that doesn't open up the backdoor for others to hijack.

You spend years on your long con - your social engineering skills are at the top of the game. You've ingratiated yourself painstakingly into multiple teams. Finally it all pays off and you're ready to go!

You succeed multiple times in getting your backdoor inserted in all the major Linux distributions!!! Now its just a matter of weeks before it makes it to production and stable releases!

This is the culmination of years of labor and planning and of a massive team and budget.

You did good.

This will get you promoted. Esteemed by your colleagues and leadership alike. Your spouse and kids will understsnd why you haven't been at home lately and why you've spent all those late nights at the office.

It's finally going to pay off.

But what's this?! Some rando poking around in their box running a pre-release unstable version of linux has found everything?!?! It's all being ripped down?! And on a Friday before a western holiday weekend?!?!

Fuck. Fuck. FUCK!!!

Three years for nothing!!! My wife is going to leave me! I missed my kid's recital for this!!! They'll hate me because I told them it was worth it. Daddy will be able to play with you again once Daddy finishes this last bit of work. But it was all for nothing!!!

Leadership took a big risk on me and my team but I kept assuring them it would pay off!

It would be one thing if another nation state found it and stopped it. But one random dude poking his nose where it shouldn't belong?! Ohhh fuck, I'm going to be fired. We're going to lose our budget. My team is going to be fired. I've let down everyone that ever believed in me and supported me and relied on me!

Oh fuck!!!

#xz #backdoor #xzBackDoor #cve #cve20243094 #infosec #hacking #FOSS

41 comments
Fabien Cazenave

@tinker I’m pretty sure the same team has other similar malicious codes in the works. This was a day-time job but not a full-time job, so there must be other attempts in other projects… still in progress.

Tinker ☀️

@fabi1cazenave - There's hope yet! Jia can still be redeemed!!!

Miah Johnson

@fabi1cazenave @tinker Maybe this is the one is the one they didn't mind being found, that would distract our attention from finding the others.

Hubert Figuière

@fabi1cazenave @tinker I was thinking the same thing. This is some sort of gambit with too many variable. If they spend that much effort, they can't possibly not have a contingency.

So which project did change maintainer recently?

yianiris

While reading and learning about this a testimony by actor1 about actor2 was revealed when asked for contact since day0 (3/29) and he responded didn't expect to have any during the easter holiday.

Observed ONLY in western christian (catholic/protestant) dominant countries, not on much of eastern Europe, china, india, arabic, ..

Racist westerners have indirectly made it a reliability/ethnicity issue.

The question I have is whether we can distinguish between the two authors of xz

@tinker

Beanface42

@tinker And a dude working for Microsoft, no less 😆

Sun Cloud

@tinker I’m sorry for your loss.

(Where is that sarcastic font when I need it)

Rob O :verified:

@tinker I've been thinking about how much time and effort went into selecting XZ as a target. It probably wouldn't be that hard to create a tool which searched the most commonly used open source projects and sorted them by the number of active maintainers.

Tinker ☀️

@nerdpr0f - Take that idea and flip it! Use it to see what are the first projects that need to be reviewed from a Threat Hunting perspective!

Seriously! Its a great approach you've created!

Specifically identify projects that would be High Value Targets to a malicious actor and then go through the code with the ASSUMPTION THAT THEY HAVE ALREADY BEEN COMPROMISED.

See how many other backdoors and vulns we can find.

#infosec #FOSS #backdoor #xz #xzBackdoor

Rob O :verified:

@tychotithonus @tinker So, this isn't the space I normally play in (being a Windows guy, for the most part). I just had a chat with @jrwr, and this data is *massively* noisy. The open source ecosystem gets real weird, real quick.

Royce Williams

@nerdpr0f

Indeed. Like any model, whatever we build may not be fully accurate ... but should hopefully be useful. :D

@tinker @jrwr

DELETED

@tinker @nerdpr0f Turning the approach on its head for threat hunting is brilliant! By identifying high-value targets and reviewing their code under the assumption they've already been compromised, we prioritize security from the get-go. This method not only sharpens our focus on potential vulnerabilities but also prepares us to counter sophisticated cyber threats. It’s a proactive defense strategy, ensuring we're always a step ahead of malicious actors. #CyberSecurity #ThreatHunting

😀🚲

@nerdpr0f @tinker how many libraries are situated where an exploit could be involved in the early phases of auth code?

Rob O :verified:

@enobacon @tinker Probably not a ton, but there's a bunch of other ways one could design the trigger.

Farce Majeure

@nerdpr0f @tinker Adding maintainers got us here. It's probably more useful to sort them by how many functions with the ifunc attribute they have ;)

Tinker ☀️

@FritzAdalis - You joke, but the Free and Open Source Software maintainer of xz was experiencing heavy burnout without any support. No team, not money, no time off.

That created a vulnerability that Jia Tan (et al) exploited and allowed Jia to take over the project.

And this is not uncommon. Corporations exploit and take FOSS and use it to make money without paying back into it.

Classic capitalistic extraction without regard to hidden costs.

So. Yeah. You can blame capitalism for this, lol! 😂

Fritz Adalis

@tinker
Well, only half joking. Even if we take your post about poor Jia at face value, it certainly looks like exploitation.

Jonas

@tinker
Twist : Jian Tan was an identity shared among a team and they all went to their kids recitals

yianiris

But both "it" and the prime-maintainer entity had agreed not to work on this during "western christian" easter, not Russian, Georgian. Amenian, Greek, Syrian, Ethiopian, Egyptian easter, but catholic/protestant easter.

Otherwise people assume they were individuals from GMT +3 or +8 geographies

And also that the two are a separate entity!

@magnetic_tape @tinker

Patrick Howell O'Neill

@tinker you’re right, we should let him have a little back door as a treat

Adam Barnett

@tinker Someone, somewhere, is indeed feeling that defeat has been snatched from the jaws of victory... orrrr maybe they're thinking "well, there goes that one. hope the other 7 I have don't get burnt so easily".

PS I wasn't prepared for this:

>

Daddy will be able to play with you again once Daddy finishes this last bit of work.

Oof.

Lindworm

@tinker Not an ounce of sympathy. Even if those consequences were true, that would not be enough of a penalty.

Tor Lillqvist

@tinker Or then, “everything is going as planned, they found the one we intentionally made easy to notice thanks to side effects, not the others”.

Estarriol, Cat owned Dragon

@tml @tinker now turn that on its head, all the easy to spot ones have been missed, but the payload one was spotted by accident by a rube just poaking around.....

Philip Mallegol-Hansen

@tinker Depending on who you're working for “fired" might be a euphemism for much worse things that are about to happen to you.

David Fetter

@tinker chances are excellent that this team, and it looks an awful lot like a team, was not put together to attack a single target. That's not how teams are actually put together. Heck, even an individual is seldom so singular in focus that they wouldn't have other projects going and, extremely likely, successful projects already done.

Tinker ☀️

@davidfetter - APTs gotta multitask like the rest of us. Fully agree.

David Fetter

@tinker let's say they work an awful lot like the rest of us. They could easily be bad at multitasking, just as a lot of the rest of us are.

mkb

@tinker Surely most people managing or implementing offensive ops know that operations don’t always succeed.

Then again, there are an awful lot of basic realities of more ordinary tech work that people frequently miss so maybe I need to retract my assertion.

The Nexus of Privacy

@tinker "And I would have gotten away with it too if it weren't for you meddling open source developers!"

youtube.com/watch?v=JV3tUPlYn9

Farce Majeure

@tinker I think their employer knows that all of these things eventually get burned, and they treat that actuarially. I think Jia has already gotten some bonuses and their performance reviews still look really good, even though they missed out on one performance bonus and some other results-based incentives.

Joe

@tinker A commenter going by mustached-dog on @arstechnica 's forum pointed out that Jia Tan could possibly be 加蛋 , which Google Translate translates to "add eggs" (suggesting the behavior of a cuckoo, perhaps, which lays its eggs in other birds' nests). As my Mandarin is limited to "hello" and "thank you" I don't know how likely this is to be intentional.

Powersource

@shellheim @tinker@infosec.exchange @nonfedimemes lmao shoutout to all the autists

Go Up