An incredibly technically complex #backdoor in xz (potentially also in libarchive and elsewhere) was just discovered. This backdoor has been quietly implemented over years, with the assistance of a wide array of subtly interconnected accounts:
#Privacy is in global danger by the oppression of the World's Elite having a pact with ruling politicians. This is the BIGGEST global threat yet to our freedom and free speech. Don't let yourself down.
We don't need to be China to be safe. They know it, just don't admit it.
The Mystery of ‘Jia Tan,’ the XZ #Backdoor Mastermind - https://www.wired.com/story/jia-tan-xz-backdoor/ "The thwarted XZ Utils supply chain attack was years in the making. Now, clues suggest nation-state hackers were behind the persona that inserted the malicious code." another reason for governments to support #opensource properly
Hey it's totally cool that #Microsoft#GitHub blocked access to one of the repositories in the very center of the #xz backdoor saga. :blobeyes:
It's not like a bunch of people are scrambling to try and make sense of all this right now, or that specific commits got linked to directly from media and blogposts and the like. :blobcatcoffee:
the only input i have on the #xz#backdoor discussion is that folks who had turned on auto updates were way more likely to have had the backdoor installed without them knowing about it, versus folks that manually do their upgrading.
not that those folks would have known either, but im estimating that the cadence of auto updates is more often than when folks do it by hand, and the attackers were relying on that to be the case so they could slip in on the shady shady.
Holy shit did we dodge a bullet. When I upgraded our mastodon server last December I originally ordered a Gigabyte motherboard as part of the upgrade, ended up sending it back as defective.
Turns out it was much, much more defective than I knew.
Does the #xz#backdoor issue affect users with the sshd service disabled? It's hard to know that by reading those super detailed posts. Basically, under what circumstances is it an issue?
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #35/2023 is out! It includes the following and much more:
➝ 🔓 🏌🏻♂️Golf gear giant #Callaway data breach exposes info of 1.1 million
➝ 🔓👕 Forever 21 data breach affects half a million people
➝ 🔓 🤦🏻♂️ #LogicMonitor customers hit by hackers, because of default passwords
➝ 🇺🇸 ⚖️ Lawsuit Accuses University of Minnesota of Not Doing Enough to Prevent #DataBreach
➝ 🎬 🔓 #Paramount discloses data breach following security incident
➝ 🏥 🔓 #Healthcare Organizations Hit by Cyberattacks Last Year Reported Big Impact, Costs
➝ 🇺🇸 🌎 #Microsoft joins a growing chorus of organizations criticizing a #UN cybercrime treaty
➝ 🇺🇸 🦠 U.S. Hacks #QakBot, Quietly Removes Botnet Infections
➝ 🇷🇺 🇺🇦 #Russia targets #Ukraine with new Android #backdoor, intel agencies say
➝ 🇷🇺 🕵🏻♂️ Unmasking #Trickbot, One of the World’s Top Cybercrime Gangs
➝ 🇨🇳 👀 ‘Earth Estries’ #Cyberespionage Group Targets Government, Tech Sectors
➝ 🇨🇳 Chinese Hacking Group Exploits Barracuda Zero-Day to Target Government, Military, and Telecom
➝ 💸 🇪🇺 Pay our ransom instead of a #GDPR fine, #cybercrime gang tells its targets
➝ 🇺🇸 🇨🇳 #Meta: Pro-Chinese influence operation was the largest in history
➝ 🇪🇸 📸 Spain warns of #LockBit Locker ransomware phishing attacks
➝ 🇵🇱 🚂 Two Men Arrested Following #Poland Railway Hacking
➝ 🇰🇵 🐍 #Lazarus hackers deploy fake #VMware PyPI packages in #VMConnect attacks
➝ 💸 #Classiscam fraud-as-a-service expands, now targets banks and 251 brands
➝ 💬 🎠 Trojanized #Signal and #Telegram apps on Google Play delivered spyware
➝ 🦠 📄 MalDoc in PDFs: Hiding malicious Word docs in PDF files
➝ 🇧🇷 👀 A Brazilian phone #spyware was hacked and victims’ devices ‘deleted’ from server
➝ 👨🏻💻 🔐 #GitHub Enterprise Server Gets New Security Capabilities
➝ 🚗 💰 Over $1 Million Offered at New #Pwn2Own#Automotive Hacking Contest
➝ 🩹 #Splunk Patches High-Severity Flaws in Enterprise, IT Service Intelligence
➝ ⛏️ 🔓 Recent #Juniper Flaws Chained in Attacks Following #PoC Exploit Publication
📚 This week's recommended reading is: "Spam Nation: The Inside Story of Organized Cybercrime―from Global Epidemic to Your Front Door" by @briankrebs
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
For anybody cynically going "haha, 'given enough eyeballs, all bugs are shallow" my ass", I'm willing to argue that the reverse engineering of the #xz#backdoor actually validates this claim.
We just didn't have enough eyeballs on this particular dependency, nor is it possible to have every commit in your dependency graph investigated. But once the issue was found, the community's focus moved like the 👁️ of Sauron; few teams could have done that work (as quickly, thoroughly, or at all).
Three years ago, #FDroid had a similar kind of attempt as the #xz#backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection#vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now
Linux folks: If your response to the XZ backdoor is to joke or even contextualise along the lines of "Yes, but Windows/Mac are worse..." take a moment to think about how you'd respond to an individual taking responsibility by insulting others to make themselves look better.
Debian users who are using testing, unstable or experimental may want to be wary of the compromised version of xz. This is tied to the same notification that went out for Fedora 41, some Fedora 40 and Rawhide users.
Ich durfte im Kaspersky-Quellcode nach einer Backdoor suchen. Hab keine gefunden. (Bin aber auch nicht wirklich qualifiziert dafür…)
Das hat mich in die Frage des Vertrauen vertiefen lassen. Eines ist klar: Andere haben das Vertrauen schon oft gebrochen.
Here's a thorough analysis of all the commits by "Jia Tan" from 2023-08 through 2024-03, showing the many legitimate code changes done before the introduction of the #xz#backdoor:
I don't even know why I have this image in my collection. It clearly doesn't contain innuendo or double entendres of any kind. #vintage#gay#backdoor#comics
Adobe Magneto: una pericolosa minaccia RCE per i siti di e-commerce
Gli specialisti di Sicurezza Informatica hanno avvertito che gli #hacker stanno già sfruttando una nuova #vulnerabilità in #Magento (CVE-2024-20720) e l'utilizzatore per implementare una #backdoor persistente sui siti di e-commerce.