Red Hat Warns of Malware Embedded in Popular Linux Tool, Opening Doors for Unauthorized Access + Video

By /

Listen to this Post

Featured Image

Introduction:

A sophisticated supply chain attack has been discovered targeting the xz compression utility, a fundamental component embedded in nearly all Linux distributions. The malicious code, found in recent versions of the xz libraries, creates a backdoor that allows unauthorized remote access to affected systems, bypassing standard authentication mechanisms. This incident highlights the severe risk posed by compromised open-source dependencies and the critical need for immediate validation of software integrity.

Learning Objectives:

  • Identify indicators of compromise (IoCs) related to the backdoored xz utility.
  • Understand the technical methodology used to embed and execute the malicious payload.
  • Implement detection, mitigation, and system hardening techniques to protect Linux environments.

You Should Know:

  1. Detecting the Compromised xz Utility on Your System

The attack primarily affects versions 5.6.0 and 5.6.1 of the xz libraries. To determine if your system is running a vulnerable version, use your package manager to query the installed package.

On Debian/Ubuntu systems:

apt list --installed | grep xz-utils

If the version shows 5.6.0 or 5.6.1, the system is compromised.

On Red Hat/Fedora/CentOS systems:

rpm -qa | grep xz

Check the version number. If it matches the vulnerable range, immediate action is required.

Step‑by‑step guide to mitigation:

  1. Rollback to a safe version: Immediately downgrade to a known safe version (e.g., 5.4.x). On Debian-based systems: 
    sudo apt update
sudo apt install xz-utils=5.4.5-0.3

    On RHEL-based systems, use `dnf downgrade` or yum downgrade.

  2. Verify the integrity: After downgrading, verify the hash of the binary against a known good source: 
    sha256sum /usr/bin/xz
  3. Block outbound traffic: Temporarily block outbound SSH traffic (port 22) from the affected server to prevent potential backdoor activation while investigation is ongoing. 
    sudo iptables -A OUTPUT -p tcp --dport 22 -j DROP

2. Analyzing the Backdoored Binary for Anomalies

The injected code was designed to interfere with the SSH daemon during system startup, allowing a pre-authenticated attacker to execute arbitrary commands. This section focuses on analyzing the binary for signs of tampering.

Step‑by‑step guide to behavioral analysis:

  1. Check for unexpected library dependencies: The backdoor often loads additional libraries that are not typical for xz. Use `ldd` to list dynamic dependencies: 
    ldd /usr/bin/xz

    Look for suspicious paths (e.g., `/tmp/` or /dev/shm/) or unusual library names.

  2. Inspect the binary strings: Search for encoded or obfuscated strings that may indicate a backdoor: 
    strings /usr/bin/xz | grep -i "backdoor"
strings /usr/bin/xz | grep -i "ssh"

    Malicious versions often contain references to `sshd` or `RSA` functions that are unrelated to compression.

  3. Monitor process injection: Use `strace` to trace system calls and identify unusual behavior: 
    sudo strace -p $(pgrep -f xz) -f -o xz_strace.log

    Look for calls to `execve` attempting to run `sshd` or modify system configurations.

3. Log Analysis and Lateral Movement Detection

Since the backdoor facilitates unauthorized remote access, threat actors may have already exploited the vulnerability. Analyzing logs is crucial for identifying post-exploitation activities.

Step‑by‑step guide to log forensics:

  1. Review authentication logs: Check `/var/log/auth.log` (Debian) or `/var/log/secure` (RHEL) for suspicious SSH logins that do not match standard patterns. 
    sudo grep "Accepted" /var/log/auth.log | grep -v "your_known_ip"
  2. Detect unusual process creation: Use `auditd` to track execution of the xz binary. Configure a rule to monitor execution: 
    sudo auditctl -w /usr/bin/xz -p x -k xz_execution

Then search the audit logs for this key:

sudo ausearch -k xz_execution

3. Examine systemd services: The backdoor may create or modify service files. Check the timestamps of `sshd.service` and other critical services:

sudo systemctl status sshd | grep "Loaded"
sudo ls -la /etc/systemd/system/ | grep -i modified

4. Hardening Against Supply Chain Attacks

To prevent similar incidents, organizations must implement rigorous software integrity checks and supply chain security controls.

Step‑by‑step guide to implementing controls:

  1. Enable package signing and verification: Ensure your package manager is configured to verify GPG signatures. For APT: 
    sudo apt update && sudo apt install --reinstall --allow-unauthenticated? No. Instead, force verification:
sudo apt --allow-unauthenticated install? Avoid.

Correct approach: Verify repository signatures manually:

sudo apt-key list

2. Implement File Integrity Monitoring (FIM): Use tools like `AIDE` or `Tripwire` to baseline critical binaries and detect unauthorized changes.

sudo aideinit
sudo aide --check

3. Utilize software bill of materials (SBOM): Generate SBOMs for all software components to track dependencies. Use `syft` to generate an SBOM:

syft packages /usr/bin/xz -o spdx-json > xz_sbom.json

Regularly compare SBOMs against known vulnerability databases like the National Vulnerability Database (NVD).

  1. Static and Dynamic Analysis of the Malicious Payload

For security researchers and incident responders, deeper analysis of the malicious code can provide insights into the attacker’s methodology.

Step‑by‑step guide to code analysis:

  1. Extract the malicious script: The backdoor was often inserted as a test file or a staged patch. Use `tar` to inspect the source package: 
    tar -xvf xz-5.6.0.tar.gz
cd xz-5.6.0
grep -r "malicious_function" .
  2. Decompile with Ghidra: Load the `liblzma` library into Ghidra to identify obfuscated functions that trigger the backdoor. Look for functions that manipulate the `RSA_public_decrypt` symbol.
  3. Network traffic analysis: Simulate the environment in an isolated sandbox and monitor network traffic for callback attempts using tcpdump: 
    sudo tcpdump -i any -w xz_backdoor.pcap

    Analyze the capture for unexpected outbound connections on port 22 or unusual beaconing patterns.

What Undercode Say:

  • Key Takeaway 1: The xz backdoor is a stark reminder that even foundational open-source tools are vulnerable to sophisticated supply chain attacks, requiring immediate and systematic patching.
  • Key Takeaway 2: Effective detection relies on a combination of binary integrity checks, log analysis, and behavioral monitoring. Automated tools alone are insufficient without human-led threat hunting.
  • Key Takeaway 3: This incident underscores the necessity of implementing a zero-trust model for software development and deployment, where every component is verified at each stage of the pipeline.

Prediction:

This attack will likely catalyze a wave of regulatory requirements mandating SBOMs and stricter verification processes for open-source contributions. In the coming months, expect to see a significant increase in automated supply chain security tools integrated into CI/CD pipelines. Additionally, threat actors will increasingly target maintainers of widely used libraries, making the security of the open-source ecosystem a top priority for enterprise security teams globally.

▶️ Related Video (78% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Cybersecuritynews Share – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: