Inside the failed attempt to backdoor SSH globally — that got caught by chance
What happened here is now well documented elsewhere, so I shall not recap it much, but essentially somebody appears to have hijacked the open source XZ project by social engineering the volunteer developer into handing over maintainer access after they cited some mental health issues, used the package XZ Utils to piggy back into systemd loading liblzma, which in turn loaded XZ, allowing sshd to be hooked to trojan it on Linux distributions that use systemd.
OpenSSH runs on almost 20 million IPs as of today, and is almost 10 times more prevalent than RDP (Remote Desktop Protocol). Had somebody successfully introduced a widely deployed backdoor, it would have been bad later.
The backdoor uses a five stage loader to try to hide and includes a function where future updates can be placed in extra files without modifying the original XZ code changes.
These changes were committed to Github back in February, and made their way into test releases of Debian, Fedora and Kali Linux. Nobody noticed the problem. Additionally, a request was opened to make the threat actor a Linux kernel module maintainer for XZ Embedded.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25544672/Jones_drives_the_solar_car_across_the_finish_line_at_the_Portofino_Hotel.jpg)
