XZ Utils: A Fable on Proactive Risk Management

Uploaded on 2024-05-15 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

The recent disclosure from the OpenSSF and OpenJS Foundation has spotted a trend of social engineering attacks aimed at under-maintained open-source projects in the wake of the attempted XZ Utils backdooring. Indeed, the XZ Utils exploit may not be the isolated software supply chain attack we hoped it was.

This second potential attack is still being investigated, but OpenSSF and OpenJS identified a worryingly similar pattern of multiple sock puppet accounts operating on another project.

Open source is an attractive target for all manner of malicious actors - nation-state backed and otherwise, but they are not inevitable. Open source consumers should be aware of this reality, and must be alert to react to any new discoveries of possible social engineering takeovers. Companies must keep a close eye on the software components they’re using and ensure they have the capability to patch any issues quickly if needed. By giving their development teams proper support, companies can help protect their digital assets from future social engineering attacks like XZ Utils. 

The Nature Of XZ

XZ Utils is a widely used component in Linux distributions and was in the process of being adopted by Fedora and Debian. Comparable to other Linux utilities like bzip or gzip, the XZ utility is used for lossless data compression across Unix-like operating systems. Its role as a common utility made it a prime target for attack. While the identity of the threat actor “Jia Tan” is unknown and suspected of being a nation-state sock puppet, it’s sobering how close they were to succeeding. If that had been the case, XZ would have dwarfed Log4j or the SolarWinds backdoor of 2021 to become one of the most devastating software supply chain attacks.

“Jia Tan” started as a seemingly innocent maintainer on the XZ project in 2021. They approached the original maintainer following a social pressure campaign that involved multiple fake sock puppet email accounts to generate outrage and pressure. Their goal was to make out that the sole maintainer of this project wasn’t acting on fixes fast enough.

By applying pressure on the maintainer, bad actors manufactured the opportunity to appear as a saviour and create a trusting relationship.

Initially, “Jia” gained the maintainer’s trust by contributing genuinely useful patches. Once a degree of trust had been established, “Jia” began to suggest and add new features. Over the next two years, the bad actor added parser code and malware in plain sight to versions 5.6.0 and 5.6.1. With the intent of creating a backdoor master key containing code to execute an encrypted message across Linux systems and bypass the entire SSH authentication process. They also began advocating for the XZ project to be adopted by major Linux distributions as a default package.

Fortunately, the attempt was uncovered before significant damage could be done.. The industry must acknowledge the presence of a highly sophisticated, well-resourced group of bad actors operating over extended durations.

Advanced Persistent Threat actors are traditionally associated with nation-state hacking operations against corporations, but now there is clear evidence that this activity extends to all parts of our digital infrastructure, including open-source projects.

Whenever these attempts are made, there are often copycats on other projects. For example, within the weeks following PyPI, there was a 7000% increase in dependency confusion copycats published to the npm registry. Similarly, with the XZ campaign, evidence has already surfaced of similar attempts against other projects. Since the genie is now out of the lamp there is no question that this type of operation will be seen again.

It’s fair to say that the open-source community is built on trust. This attack calls into question that very core notion - and actively subverts it. To prevent a similar situation from happening again, the industry is now preparing to look at suspicious activity and behaviours that have taken place over the past few years.

These bad actors put a lot of work into improving the efficiency of the XZ compression algorithm before trying to execute the attack. The evidence points to a well-resourced attacker or adversary backed by a state, having the capability to engage for several years and patiently working with the original maintainer while striking in secret.

You Can’t Fight A Smokeless Fire 

Using fewer, higher-quality projects will reduce your vulnerable attack surface while employing a Software Bill of Materials (SBOM) for containers and virtual machines will give you an understanding of the software you depend on. SBOMs allow organisations to implement effective quality control measures and monitor for any bad packages that need to be resolved. Establishing supplier standards for your software and reinforcing the open-source ecosystem's support system are necessary steps to take for your security. 

While the community strengthens defences upstream, the downstream must also be ready when incidents are uncovered and act swiftly by patching affected systems.

Being proactive is not a tax, it's a collective responsibility to safeguard the integrity of the software supply chain. Science suggests building the capability to be able to proactively manage patches in this way also makes development teams more productive as a result. 

The recent attack on the XZ compression tool shows how important it is for companies to manage risks in their open-source software. Organisations must keep a close eye on their components, build the capability to patch any issues quickly, and help support single maintainer projects which are more susceptible to targeting. Prioritising projects with strong maintainer structures is important but implementing robust monitoring systems is a must. This proactivity rather than reactivity will help protect digital infrastructure from any future attacks.

Another important element of this attack is that it was because the XZ project is open source is precisely why the intrusion was ultimately discovered. A developer noticing the performance hit of the package uncovered the problem and exposed it to the world, who took up fixing the issue. This is precisely why using open source continues to be the best path for organisations to leverage the best innovation out there. If the project had been closed it could have remained hidden indefinitely.

As the threat attack landscape evolves, the responsibility lies with the entire open source community and the community using it to be on alert. For consumers, the attempted breach of the XZ Utils serves as a sobering reminder of the critical importance of robust risk management practices and ongoing support for project maintainers.

By collectively fortifying defences and prioritising the integrity of the software supply chain, we can mitigate the risks posed by future attacks and contribute to continued, safe, trustworthy open-source innovation. 

Ilkka Turunen is Field CTO at Sonatype

Image: Oleksandr Hruts

You Might Also Read: 

What’s The Problem With Open-Source Software & Cybersecurity?:

DIRECTORY OF SUPPLIERS - Open Source Security:

___________________________________________________________________________________________

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Overcome PDF Conversion Challenges: A Step-by-Step Guide
Christie's Auctions Knocked Offline »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Mielabelo

Mielabelo

Belgian consulting firm providing services in the security and compliance of information systems and IT service management.

CROW - University of Waikato

CROW - University of Waikato

CROW is the first cyber security lab established in a New Zealand educational institution at the University of Waikato.

Council of Europe - Cybercrime Programme Office (C-PROC)

Council of Europe - Cybercrime Programme Office (C-PROC)

The Cybercrime Programme Office of the Council of Europe is responsible for assisting countries worldwide in strengthening their legal systems capacity to respond to cybercrime

Uniscon

Uniscon

Uniscon is a leading provider of cloud security solutions in Europe.

Conscia

Conscia

Conscia provides IT infrastructure solutions and 24/7 services in network, data center, security and mobility.

Mitchell Sandham

Mitchell Sandham

Mitchell Sandham is an, independent insurance and financial services brokerage. Business products include Cyber/Privacy Liability insurance.

Cymulate

Cymulate

Cymulate is a SaaS-based breach and attack simulation platform that makes it simple to know and optimize your security posture any time, all the time.

File Centre

File Centre

File Centre is a leading specialist when it comes to data backup, we offer our clients a premium backup retrieval and delivery solution.

Bechtel

Bechtel

Bechtel’s Industrial Control Systems Cyber Security Laboratory focuses on protecting large-scale industrial and infrastructure systems that support critical infrastructure.

Cryptshare

Cryptshare

Cryptshare is a communication solution that enables you to share e-mails and files of any size securely.

eSec Forte Technologies

eSec Forte Technologies

eSec Forte Technologies is a CMMi Level 3 certified Global Consulting and IT Security Services company.

NXTsoft

NXTsoft

NXTsoft’s solutions help businesses secure, connect and optimize their data to maximize revenue opportunities, enhance profitability, and mitigate cybersecurity risk.

Shield Capital

Shield Capital

Shield Capital helps founders build frontier solutions in cybersecurity, artificial intelligence, space & autonomy for commercial and government enterprises.

Luta Security

Luta Security

Luta Security implements a holistic approach to advance the security maturity of governments and organizations around the world.

Valeo Networks

Valeo Networks

Valeo Networks is a full-service Managed Security Service Provider (MSSP). We partner with organizations to remove the burden of technology so that they can focus on growing their business.

CNNECT

CNNECT

CNNECT are specialists in cloud, collaboration and cybersecurity, constantly evolving the way in which we understand, advise and deploy these technologies