Sequence of Events and Strategic Overview of the XZ Compression Library Backdoor

The XZ Compression Backdoor Timeline

This comprehensive timeline outlines the social engineering and technical execution of a significant supply chain attack on the xz compression library by an individual using the name “Jia Tan.” Over more than two years, Jia Tan ingratiated themselves with the xz development community, ultimately gaining maintainership and inserting a backdoor into liblzma, impacting systems reliant on OpenSSH sshd, among others. The attack, disclosed on March 29, 2024, underscores critical vulnerabilities in open source supply chain security.

Initial Contributions and Gaining Trust

  • 2005-2008: Lasse Collin, supported by others, develops the .xz file format, utilizing the LZMA compression algorithm. The format gains widespread adoption.
  • 2021-10-29: Jia Tan’s first contribution to the xz-devel mailing list is an “.editorconfig” file.
  • 2021-11-29: Jia Tan fixes a reproducible build issue in their second patch.
  • 2022-02-07: Lasse Collin merges Jia Tan’s patch for adding NULL checks to LZMA properties encoders.
  • 2022-04-19 to 2022-06-29: Jia Tan continues contributing innocuous patches, gradually gaining the community’s trust. Lasse Collin acknowledges Jia Tan’s help and hints at a more significant role for them in the project’s future.

Ascension to Maintainership

  • 2022-09-27: Jia Tan announces plans for the 5.4.0 release, signaling a closer working relationship with Lasse Collin.
  • 2022-10-28 to 2023-01-11: Jia Tan is added to the Tukaani GitHub organization and begins merging commits directly, culminating in Lasse Collin’s last release as v5.4.1.
  • 2023-03-18 to 2023-07-07: Jia Tan’s first release as maintainer is v5.4.2. Subsequent actions by Jia Tan, including disabling ifunc support and moving the website to GitHub pages, lay the groundwork for the backdoor’s insertion.

Execution of the Attack

  • 2024-02-23 to 2024-03-09: Jia Tan merges hidden backdoor code into binary test input files and tags v5.6.0 and v5.6.1, introducing malicious changes under the guise of bug fixes and optimizations.
  • 2024-03-20 to 2024-03-28: The attack is detected by Andres Freund, leading to CVE-2024-3094 being assigned. Immediate actions are taken by Debian, Arch Linux, and other affected parties to mitigate the damage and prevent further exploitation.

Aftermath and Industry Response

  • 2024-03-29 to 2024-03-30: Public disclosure of the backdoor prompts widespread response across the open source community, including rebuilding of build machines and reverting to secure versions of the xz library.

Strategies Employed in the Attack

The strategy employed in the Jia Tan attack on the xz compression library is a multifaceted approach that combines technical acumen with social engineering, ultimately resulting in a significant supply chain attack. This strategy can be broken down into several key components:

Long-term Infiltration and Trust Building

  • Initial Contributions: Jia Tan began with innocuous contributions to the xz-devel mailing list, gradually building a reputation as a diligent and effective contributor. This phase spanned over several months, starting from simple fixes and enhancements, carefully avoiding raising suspicions.
  • Gradual Escalation: Over time, the complexity and importance of contributions increased, leading to Jia Tan gaining commit access and eventually maintainership. This was achieved through consistent, high-quality contributions that demonstrated a deep understanding of the project.

Social Engineering and Pressure Tactics

  • Creating a Supportive Cast: Emails from fictitious characters such as “Jigar Kumar” and “Dennis Ens” were used to apply social pressure on the existing maintainer, Lasse Collin. These characters complained about the slow pace of development and governance, creating a narrative that Jia Tan was a solution to the project’s stagnation.
  • Exploiting Vulnerabilities: The attacker exploited Collin’s mental health issues and the project’s governance weaknesses, positioning Jia Tan as a key figure capable of revitalizing the project. This manipulation was aimed at accelerating Jia Tan’s ascendancy to a position of control.

Technical Preparation and Execution

  • Groundwork Through Legitimate Contributions: Jia Tan’s initial legitimate contributions laid the groundwork for the later introduction of a backdoor. This involved both direct code changes and influencing the project’s infrastructure, such as moving the website to GitHub pages, which gave Jia Tan control over project communication.
  • Insertion of the Backdoor: The backdoor was subtly introduced through binary test input files and hidden in a malicious build-to-host.m4 script. This approach was chosen to avoid detection during routine review processes, as these files were not expected to contain executable code and were part of the build process for deb/rpm packages.

Cover-up and Misdirection

  • Misdirecting Bug Fixes: Jia Tan introduced “fixes” for bugs related to the backdoor, including a supposed ifunc bug and Valgrind errors. These activities served a dual purpose: they appeared as diligent maintenance efforts while actually refining the backdoor’s stealthiness and functionality.
  • Exploiting Existing Infrastructure: By moving the project’s website and manipulating build scripts, Jia Tan created an environment where the backdoor could be introduced and updated without direct scrutiny. The changes to the build process, in particular, allowed for the backdoor to be included in official releases without appearing in the source repository.

Response to Discovery

  • Rapid Evolution: Following initial detections of anomalies (e.g., Gentoo crashes, Valgrind errors), Jia Tan quickly addressed these issues under the guise of regular maintenance, thus attempting to prolong the undetected presence of the backdoor.
  • Final Exposure and Mitigation: Once the backdoor was discovered and publicly disclosed, the open-source community and affected distributions moved swiftly to mitigate the impact, rolling back compromised versions and rebuilding infrastructure.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Questions or concerns? Feel free to reach out to us any time –

Copyright © Netizen Corporation. All Rights Reserved.