Recently, a previously unseen supply chain attack due to a backdoor in XZ Utils has been identified by A. Freund. This particular attack leverages highly sophisticated attack techniques, starting with social engineering attacks against the open source community up to implanting a backdoor in obfuscated binary blobs. This malware is designed to empower the attacker(s) to remotely run commands on vulnerable servers utilizing SSH evading authentication. A reverse dependency analysis revealed that the affected library is used by almost 30,000 packages in Debian and Ubuntu—the same order of magnitude as the GNU standard C library (glibc/libc6), a dependency for roughly 50,000 packages on these systems. This fact highlights the severity of such supply chain attacks and raises concerns about further backdoored packages still undetected in the wild. This paper identifies the critical attack path for successful implantation of such a backdoor and abstracts general key takeaways for future detection and mitigation of similar attacks. We also present SketchyCrawler, an open-source tool prototype designed to illustrate crawling repositories to reveal ‘sketchy’ signs of potential backdoor implantation attempts.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Unveiling the Critical Attack Path for Implanting Backdoors in Supply Chains: Practical Experience from XZ

  • Mario Lins,
  • René Mayrhofer,
  • Michael Roland

摘要

Recently, a previously unseen supply chain attack due to a backdoor in XZ Utils has been identified by A. Freund. This particular attack leverages highly sophisticated attack techniques, starting with social engineering attacks against the open source community up to implanting a backdoor in obfuscated binary blobs. This malware is designed to empower the attacker(s) to remotely run commands on vulnerable servers utilizing SSH evading authentication. A reverse dependency analysis revealed that the affected library is used by almost 30,000 packages in Debian and Ubuntu—the same order of magnitude as the GNU standard C library (glibc/libc6), a dependency for roughly 50,000 packages on these systems. This fact highlights the severity of such supply chain attacks and raises concerns about further backdoored packages still undetected in the wild. This paper identifies the critical attack path for successful implantation of such a backdoor and abstracts general key takeaways for future detection and mitigation of similar attacks. We also present SketchyCrawler, an open-source tool prototype designed to illustrate crawling repositories to reveal ‘sketchy’ signs of potential backdoor implantation attempts.