Isitha asidingi amakhono obuchwepheshe asezingeni eliphezulu ukuze senze ukuhlasela kwe-software okubanzi njengalokho okutholwa yi-SolarWinds ne-CodeCov. Kwesinye isikhathi, okudingayo nje isikhathi esincane kanye nobunjiniyela bezenhlalo obuhlakaniphile.
Kubukeka sengathi bekunjalo kunoma ngubani owethula i-backdoor ku I-XZ Isebenzisa umthombo ovulekile wokucindezelwa kwedatha ezinhlelweni ze-Linux ekuqaleni kwalo nyaka. Ukuhlaziywa kwesigameko kusuka eKaspersky kuleli sonto, kanye nemibiko efanayo evela kwabanye ezinsukwini ezisanda kwedlula, ikhombe umhlaseli njengothembele ngokuphelele ekudukisweni komphakathi ukuze shibilika i-backdoor kuhlelo lokusebenza.
Ubunjiniyela Bezenhlalakahle i-Open Source Software Supply Chain
Ngokudabukisayo, kungase kube imodeli abahlaseli abayisebenzisayo ukuze bafake uhlelo olungayilungele ikhompuyutha efanayo kwamanye amaphrojekthi nezingxenye zomthombo ovulekile osetshenziswa kabanzi.
Esexwayiso ngesonto eledlule, i-Open Source Security Foundation (OSSF) ixwayise ngokuhlaselwa kwe-XZ Utils okungenzeka ukuthi akusona isigameko esisodwa. Ukwelulekwa kukhombe okungenani esinye isenzakalo lapho i isitha sisebenzise amaqhinga afana nalawo asetshenziswa ku-XZ Utils ukuthatha i-OpenJS Foundation yamaphrojekthi we-JavaScript.
"I-OSSF kanye ne-OpenJS Foundations ibiza bonke abanakekeli bemithombo evulekile ukuthi baqaphele imizamo yokuthatha ubunjiniyela bezenhlalakahle, babone amaphethini okusabisa okuqala avelayo, futhi bathathe izinyathelo zokuvikela amaphrojekthi abo omthombo ovulekile," kusho isexwayiso se-OSSF.
Unjiniyela ovela ku-Microsoft uthole i-backdoor ezinguqulweni ezintsha zomtapo wezincwadi we-XZ obizwa nge-liblzma ngenkathi ephenya impatho eyinqaba ezungeze ukufakwa kwe-Debian. Ngaleso sikhathi, ukukhishwa okungazinzile kuphela ne-beta ye-Fedora, Debian, Kali, openSUSE, kanye ne-Arch Linux izinguqulo ezazinomtapo wezincwadi ongemuva, okusho ukuthi kwakungeyona inkinga kubasebenzisi abaningi be-Linux.
Kepha indlela umhlaseli ethule ngayo i-backdoor iyakhathaza kakhulu, kusho uKasperksy. "Okunye okuhlukanisile okubalulekile kwesigameko seSolarWinds ekuhlaselweni kwangaphambili kwe-supply chain kwakuwukucasha kwesitha, ukufinyelela isikhathi eside endaweni yomthombo/yentuthuko," kusho uKaspersky. "Kulesi sigameko se-XZ Utils, lokhu kufinyelela okude kwatholakala ngonjiniyela bezenhlalo futhi kwanwetshwa ngokusebenzisana okungelona iqiniso kobunikazi bomuntu ngokusobala."
Ukuhlasela Okuphansi Nokunensa
Ukuhlasela kubukeka sengathi kuqale ngo-Okthoba 2021, lapho umuntu osebenzisa isibambo esithi “Jia Tan” ehambisa isiqeshana esingenacala kuphrojekthi yomuntu oyedwa ye-XZ Utils. Emavikini nasezinyangeni ezimbalwa ezizayo, i-akhawunti ye-Jia Tan ithumele amapheshana angenabungozi amaningi afanayo (achazwe kabanzi kulokhu umugqa wesikhathi) kuphrojekthi ye-XZ Utils, lapho umnakekeli wayo oyedwa, umuntu ogama lakhe lingu-Lasse Collins, agcina eqale ukuhlanganisa insiza.
Kusukela ngo-Ephreli 2022, abanye abantu abambalwa - oyedwa osebenzisa isibambo esithi "Jigar Kumar" nomunye "uDennis Ens" - waqala ukuthumela ama-imeyili ku-Collins, emcindezela ukuthi ahlanganise ama-patches ka-Tan ku-XZ Utils ngesivinini esisheshayo.
I-Jigar Kumar kanye no-Dennis Ens personas kancane kancane bakhuphula ingcindezi ku-Collins, ekugcineni bamcela ukuthi engeze omunye umnakekeli kuphrojekthi. UCollins wake waqinisekisa intshisekelo yakhe yokugcina lo msebenzi kodwa wavuma ukuthi wayecindezelwe “izinkinga zempilo yengqondo zesikhathi eside.” Ekugcineni, u-Collins wanqotshwa ingcindezi evela ku-Kumar no-Ens futhi wanika u-Jia Tan ukuzibophezela kokufinyelela kuphrojekthi kanye negunya lokwenza izinguquko kukhodi.
"Umgomo wabo bekuwukunikeza ukufinyelela okugcwele kwekhodi yomthombo we-XZ Utils ku-Jia Tan futhi bethule ikhodi enonya ku-XZ Utils," kusho uKaspersky. "Obunikazi baze bahlanganyele komunye nomunye emiculweni yeposi, bekhala ngesidingo sokushintsha u-Lasse Collin njengomnakekeli we-XZ Utils." Abantu abahlukene ekuhlaselweni - uJia Tan, uJigar Kumar, noDennis Ens - babonakala benziwe ngamabomu ukuthi babukeke sengathi bavela ezindaweni ezahlukene, ukuze kuqedwe noma yikuphi ukungabaza ngokusebenza kwabo ekhonsathini. Omunye umuntu, noma i-persona, u-Hans Jansen, uvele kafushane ngoJuni 2023 ngekhodi entsha yokuthuthukisa ukusebenza ye-XZ Utils egcine ihlanganiswe nensizakalo.
Uchungechunge Olubanzi Lwabalingisi
U-Jia Tan wethule i-backdoor binary ensizeni ngoFebhuwari 2024 ngemuva kokuthola ukulawula kwe-XZ Util imisebenzi yokulungisa. Ngemuva kwalokho, umlingiswa kaJansen waphinde wavela - kanye nabanye abantu ababili - ngamunye ecindezela abasabalalisi abakhulu beLinux ukuthi bethule insiza engemuva ekusabalaliseni kwabo, kusho uKasperksy.
Okungacaci kahle ukuthi ngabe ukuhlasela bekubandakanya iqembu elincane labalingisi noma umuntu oyedwa ophethe ngempumelelo abambalwa ubunikazi futhi bakhohlisa umnakekeli ukuba abanikeze ilungelo lokwenza izinguquko zekhodi kuphrojekthi.
U-Kurt Baumgartner, umcwaningi oyinhloko eqenjini likaKaspersky lokucwaninga nokuhlaziya umhlaba wonke, utshela i-Dark Reading ukuthi imithombo eyengeziwe yedatha, okuhlanganisa ukungena ngemvume nedatha ye-netflow, ingasiza ekuphenyweni kobunikazi abahilelekile ekuhlaselweni. Uthi: “Umhlaba womthombo ovulekile uvulekile ngendlela exakile, ovumela ubunikazi obufiphele ukuthi bunikele ngekhodi engabazekayo kumaphrojekthi ancike kakhulu.”
- I-SEO Powered Content & PR Distribution. Khuliswa Namuhla.
- I-PlatoData.Network Vertical Generative Ai. Zinike Amandla. Finyelela Lapha.
- I-PlatoAiStream. I-Web3 Intelligence. Ulwazi Lukhulisiwe. Finyelela Lapha.
- I-PlatoESG. Ikhabhoni, I-CleanTech, Amandla, Environment, Ilanga, Ukuphathwa Kwemfucuza. Finyelela Lapha.
- I-PlatoHealth. I-Biotech kanye ne-Clinical Trials Intelligence. Finyelela Lapha.
- Source: https://www.darkreading.com/application-security/attacker-social-engineered-backdoor-code-into-xz-utils
