The XZ Backdoor Story: The Undercover Operation That Set the Internet on Fire

Presented at DEF CON 32 (2024), Aug. 9, 2024, 11 a.m. (45 minutes).

On Fri, 29 Mar 2024, at exactly 08:51:26, OSS security received a message from Andres Freund, a software engineer at Microsoft, stating he had discovered a backdoor in upstream xz/liblzma that could compromise SSH servers. The open-source project XZ, specifically the liblzma library, has been compromised by a mysterious maintainer named Jia Tan, putting the entire internet at risk. Fortunately, this discovery helped us avoid the worst. But what happened? How long has this rogue maintainer been part of the project? Who is Jia Tan? Was he involved in other projects? How does the backdoor work? And what should we learn from this? These are questions we will attempt to answer. First, we will discuss the discovery, which is so riddled with coincidences and chance that it's hard not to think about all the ones we've missed. Then, we'll examine the process itself, from gaining trust within the project to deploying the backdoor, dissecting the operating methods and the main protagonists. We will also dive into the technical details, explaining how the backdoor is deployed and how it can be exploited. The XZ backdoor is not just an incredible undercover operation but also a gigantic puzzle to solve. Beyond the technical background, there is a story to tell here, to capitalize on what went wrong and what we could improve. - OSS Security Andres Freund Email: [link](https://www.openwall.com/lists/oss-security/2024/03/29/4) - My work on the XZ Backdoor: [link](https://x.com/fr0gger_/status/1774342248437813525) - Second tweet of the XZ Backdoor: [link](https://x.com/fr0gger_/status/1775759514249445565) - Additional works related to my presentation: - Gynvael Coldwind: [link](https://gynvael.coldwind.pl/?lang=en&id=782) - [link](https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27) by @thesamesam@social.treehouse.systems - [link](https://boehs.org/node/everything-i-know-about-the-xz-backdoor) by @eb@social.coop - [link](https://wiz.io/blog/cve-2024-3094-critical-rce-vulnerability-found-in-xz-utils) by @wiz_io - [link](https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504) by smx - [link](https://securelist.com/xz-backdoor-story-part-1/112354/) by Kaspersky - [link](https://github.com/blasty/JiaTansSSHAgent) by @bl4sty

Presenters:

• Thomas Roccia - Senior Security Researcher at Microsoft
  Thomas Roccia is working as a Senior Security Researcher at Microsoft and works on malware research, generative AI and threat intelligence. In addition to his work at Microsoft, Thomas also runs SecurityBreak, an online platform where he showcases his latest projects and research findings. Thomas has travelled the world to manage critical outbreaks and has been on the front lines of some of the most well-known threats. He has tracked cybercrime and nation-state campaigns and has worked closely with law enforcement agencies. In addition to his professional work, Thomas is a regular speaker at security conferences and is committed to contributing to the open-source community through various projects. He runs the Unprotect Project, an open malware evasion techniques database, since 2015. He is also the author of the book Visual Threat Intelligence, an illustrated guide for threat researchers. Thomas's work has been quoted by multiple media outlets around the world.

Similar Presentations:

• DEF CON 32 (2024) / Modem Operandi, or: How I Owned Hundreds of Millions of Broadband Basebands
• DEF CON 32 (2024) / Laundering Money
• DEF CON 32 (2024) / Defeating EDR Evading Malware with Memory Forensics