An adversary doesn’t need sophisticated technical skills to execute a broad software supply chain attack like the ones experienced by SolarWinds and CodeCov. Sometimes, all it takes is a little bit of time and ingenius social engineering.

That appears to have been the case with whoever introduced a backdoor in the XZ Utils open source data compression utility in Linux systems earlier this year. Analysis of the incident from Kaspersky this week, and similar reports from others in recent days, identified the attacker as relying almost entirely on social manipulation to slip the backdoor into the utility.

Social Engineering the Open Source Software Supply Chain

Ominously, it may be a model that attackers are using to slip similar malware into other widely used open source projects and components.

In an alert last week, the Open Source Security Foundation (OSSF) warned of the XZ Utils attack likely not being an isolated incident. The advisory identified at least one other instance where an adversary employed tactics similar to the one used on XZ Utils to take over the OpenJS Foundation for JavaScript projects.

“The OSSF and OpenJS Foundations are calling all open source maintainers to be alert for social engineering takeover attempts, to recognize the early threat patterns emerging, and to take steps to protect their open source projects,” the OSSF alert said.

A developer from Microsoft discovered the backdoor in newer versions of an XZ library called liblzma while investigating odd behavior around a Debian installation. At the time, only unstable and beta releases of Fedora, Debian, Kali, openSUSE, and Arch Linux versions had the backdoored library, meaning it was virtually a non-issue for most Linux users.

But the manner in which the attacker introduced the backdoor is especially troubling, Kasperksy said. “One of the key differentiators of the SolarWinds incident from prior supply chain attacks was the adversary’s covert, prolonged access to the source/development environment,” Kaspersky said. “In this XZ Utils incident, this prolonged access was obtained via social engineering and extended with fictitious human identity interactions in plain sight.”

A Low and Slow Attack

The attack appears to have begun in October 2021, when an individual using the handle “Jia Tan” submitted an innocuous patch to the single-person XZ Utils project. Over the next few weeks and months, the Jia Tan account submitted multiple similar harmless patches (described in detail in this umugqa wesikhathi) to the XZ Utils project, which its sole maintainer, an individual named Lasse Collins, eventually began merging into the utility.

Starting in April 2022, a couple of other personas — one using the handle “Jigar Kumar” and the other “Dennis Ens” — began sending emails to Collins, pressuring him to integrate Tan’s patches into XZ Utils at a faster pace.

The Jigar Kumar and Dennis Ens personas gradually ratcheted up the pressure on Collins, eventually asking him to add another maintainer to the project. Collins at one point reaffirmed his interest in maintaining the project but confessed to being constrained by “long-term mental health issues.” Eventually, Collins succumbed to the pressure from Kumar and Ens and gave Jia Tan commit access to the project and the authority to make changes to the code.

“Their goal was to grant full access to XZ Utils source code to Jia Tan and subtly introduce malicious code into XZ Utils,” Kaspersky said. “The identities even interact with one another on mail threads, complaining about the need to replace Lasse Collin as the XZ Utils maintainer.” The different personas in the attack — Jia Tan, Jigar Kumar, and Dennis Ens — appear to have deliberately been made to look like they were from different geographies, to dispel any doubts about their working in concert. Another individual, or persona, Hans Jansen, surfaced briefly in June 2023 with some new performance optimization code for XZ Utils that ended up being integrated into the utility.

A Wide Cast of Actors

Jia Tan introduced the backdoor binary into the utility in February 2024 after gaining control of the XZ Util maintenance tasks. Following that, the Jansen character resurfaced — along with two other personas — each pressuring major Linux distributors to introduce the backdoored utility into their distribution, Kasperksy said.

What’s not entirely clear is if the attack involved a small team of actors or a single individual who successfully managed several identities and manipulated the maintainer into giving them the right to make code changes to the project.

Kurt Baumgartner, principal researcher at Kaspersky’s global research and analysis team, tells Dark Reading that additional data sources, including login and netflow data, could help aid in the investigation of the identities involved in the attack. “The world of open source is a wildly open one,” he says, “enabling murky identities to contribute questionable code to projects that are major dependencies.”

• I-SEO Powered Content & PR Distribution. Khuliswa Namuhla.
• I-PlatoData.Network Vertical Generative Ai. Zinike Amandla. Finyelela Lapha.
• I-PlatoAiStream. I-Web3 Intelligence. Ulwazi Lukhulisiwe. Finyelela Lapha.
• I-PlatoESG. Ikhabhoni, I-CleanTech, Amandla, Environment, Ilanga, Ukuphathwa Kwemfucuza. Finyelela Lapha.
• I-PlatoHealth. I-Biotech kanye ne-Clinical Trials Intelligence. Finyelela Lapha.
• Source: https://www.darkreading.com/application-security/attacker-social-engineered-backdoor-code-into-xz-utils