This media is not supported in your browser
VIEW IN TELEGRAM
Eclipse - simpsons - da vinci code
ℹ️ Timeline of the xz Open Source Attack
You have probably already heard about Malicious Code in XZ Utils for Linux Systems.
Over a period of over two years, an attacker using the name “Jia Tan” worked as a diligent, effective contributor to the xz compression library, eventually being granted commit access and maintainership.
Using that access, they installed a very subtle, carefully hidden backdoor into liblzma, a part of xz that also happens to be a dependency of OpenSSH sshd on:
- Ubuntu
- Debian
- Fedora
And other systemd-based Linux systems that patched sshd to link libsystemd.
That backdoor watches for the attacker sending hidden commands at the start of an SSH session, giving the attacker the ability to run an arbitrary command on the target system without logging in — leading to unauthenticated, targeted remote code execution.
You can find the timeline of this long-term story (2 years!) here.
-----
📷 Image Credit: Securing Society 5.0
You have probably already heard about Malicious Code in XZ Utils for Linux Systems.
Over a period of over two years, an attacker using the name “Jia Tan” worked as a diligent, effective contributor to the xz compression library, eventually being granted commit access and maintainership.
Using that access, they installed a very subtle, carefully hidden backdoor into liblzma, a part of xz that also happens to be a dependency of OpenSSH sshd on:
- Ubuntu
- Debian
- Fedora
And other systemd-based Linux systems that patched sshd to link libsystemd.
That backdoor watches for the attacker sending hidden commands at the start of an SSH session, giving the attacker the ability to run an arbitrary command on the target system without logging in — leading to unauthenticated, targeted remote code execution.
You can find the timeline of this long-term story (2 years!) here.
-----
📷 Image Credit: Securing Society 5.0