TechScape: How one man stopped a potentially massive cyber-attack – by accident
In this week’s newsletter: An unknown attacker carefully infiltrated Linux over Easter, and very nearly gained access to millions of computers – were it not for one mildly inconvenienced developer
How was your Easter bank holiday? Did you use it well by, for instance, preventing a globally destructive cyber-attack? No? Try harder, then.
This weekend, a cautious, longstanding and very nearly successful attempt to insert a backdoor into a widely used piece of open-source software was thwarted – effectively by accident. From Dan Goodin at Ars Technica:
Researchers have found a malicious backdoor in a compression tool that made its way into widely used Linux distributions, including those from Red Hat and Debian.
Because the backdoor was discovered before the malicious versions of xz Utils were added to production versions of Linux, “it’s not really affecting anyone in the real world”, Will Dormann, a senior vulnerability analyst at security firm Analygence, said in an online interview. “BUT that’s only because it was discovered early due to bad actor sloppiness. Had it not been discovered, it would have been catastrophic to the world.”
The attempted hack is what is known as a “supply chain” attack. By carefully and slowly pushing updates to a little-known compression tool shipped with some Linux distributions, a free and open-source operating system, the attacker very nearly ended up with a backdoor to millions of computers at once. Whether the intention was to bide their time and then use that access for a mass hacking campaign or to execute a very patient and targeted attack on a single user is unclear at this time, though the patient and methodical nature of the attack is enough to have observers speculating that a state actor was behind it.
