The XZ-Util Hack v. SolarWinds Attack

The Linux world is abuzz about a cyber attack designed to compromise the XZ-Util package. The package provides data compression for linux services including OpenSSH.

Some think the attack may have been sponsored by state actors. A few people use the XZ-Utils exploit to criticize the open source movement. Others point out to it as a success of Open Source as it was discovered by an independent user before a major software upgrade.

I thought it would be interesting compare the XZ-Utils exploit with the SolarWinds exploit that rocked the computer world in 2020.

The article will examine the timeline of the XZ-Utils exploit, the SolarWinds fiasco. I will then compare the two.

TimeLine of the XZ-Utils Exploit

Andres Freund discovered the XZ-exploit while investigating anomalies in CPU cycles when using software that access XZ in an SSH application.

Freund sent an email to the Openwall mailing list that certain xz-tarballs appeared to include a malicious back door.

A "tarball" is a collection of compressed files.

Security experts began unraveling this thread and discovered a multiyear effort to compromise the Linux distribution.

This hacking effort began with a pscyhological operation against Lasse Collin who was a devloper of the XZ Utils who volunteered to maintain the package.

It is likely that Mr. Collins suffered from burn out.

Burn out is common in the computer industry. Seriously, how many people feel burned out by SteemIt and HIVE?

The psych-op compaign was underway in 2021 when a user named "Jia Tan" registered the account name JiaT75 in GitHub. The user made minor contributions in GitHub.

Other mysterious users such as Jigar Kumar and Dennis Ens launched a pressure compaign against Mr. Collins to expand his team.

In 2023 merged commits for the XZ-Utils and by March 2023, Jia was the primary contact for the project.

A mysterious user named "Hans Jansen" began pull requests to hasten an update of XZ-Utils. Hans Jansen later introduced malicious code disguised as a minor bug fix.

Evan Boehs produced a timeline of the exploit.

Due to the sophistication of this attack. Some think it may have been the action of a state actor.

The SolarWinds Affair

According to Wikipedia, SolarWinds Corporation was founded by an executive from WalMart in 1999 to provide network performance monitoring and software version control for big business and government institutions.

The company raised funds from prominant private equity groups including Austin Ventures, Bain Capital, and Insight Venture Partners.

SolarWinds raised $112.5 million in its first IPO in 2009.

The private equity firms Silver Lake Partners and Thoma Bravo took SolarWinds private in a deal with a reported value of $4.5 billion in 2015.

In October 2018, the company sold 25,000,000 shares for $15 in a second IPO. I assume the private equity firms kept the bulk of the shares.

I mentioned the financial history to emphasize that SolarWinds was created by big finance to service big business and big government.

The company grew through acquisition.

Industry and government trusted SolarWinds because it was so large.

It appears that the hack was largely a matter of malicious actors gaining control of security certificates that allowed them to insert malicious code into the program stack.

Since SolarWinds was an amalgamation of other large firms, I suspect that different parts of the company had formed into silos. Through this siloing and an atmosphere of complacency, it was possible for a malactor to sneak malicious code into the stack.

A timeline of the hack says that malicious actors inserted a test script into the SolarWind stack in 2019. They then removed it.

In February 2020, the hackers injected the SUNBURST attack into the SolarWinds Stack. The hackers removed the code on June 4th, 2020. The hack gave the attackers back door access to numerous companies.

FireEye Discovers the Attack

The Origins of FireEye

An engineer from Sun Microsystems named Ashar Aziz established FireEye in 2004. The company made virtual machines that were often used to test internet traffic for government sites.

In 2013, FireEye raised $300 million in an IPO. They then acquired the tech firm Mediant for $1 billion dollars. Mediant offered. incident response services for data breaches. They were heavily into cyber security.

In 2014 FireEye ran a secondar offering for $1.1bn shares. The company continued the process of aggressive acquisition.

FireEye Red Team Discovers that It was Hacked!

The FireEye Red Team had developed a suite of tools to test software and web site vulnerabilities. Some time in 2020, they discovered that state actors were using their tools to hack web sites.

FireEye reported the attack on December 8, 2020.

Their investigation indicated an upstream attack SolarWine and reported the STARBURST hack on December 11-12.

Some claim that executives and private equity firms started dumping shares after learning of the attack.

SolarWinds releases a security advisory that its Orion Platform had been breached.

The world fell into panic mode as major systems around the globe discover that they had been hacked.

SolarWinds released its software patch on December 15th.

SolarWinds flounders on. They continue to provide software management services. FireEye was acquired by a private equity firm called Symphony Technology Group. Some of it was merged with McAfee Enterprise to create a new company called Trellix.

Conclusion

I thought it would be interesting to compare the SolarWinds and XZ-Utils attack.

The current program community is being dominated by massive program stacks. Mal-actors, some of which are state sponsored, troll the program stacks for vulnerabilities.

The SolarWinds and XZ-Util attacks show that both big business and open source stacks are different vulnerabilities.

Defendents of open source can point to the fact that an amateur sleuth engaged in benchmark testing discovered the XZ-Utils vulnerability before it was attached to a major software release.

The SUNBURST attack against SolarWinds went undetected for months.

I look at both attacks and can't help but wonder if we have made our programming stacks too large and too complex.

Learn2Code + Image Credits

I wrote this article for the new Learn2Code community to emphasize that programs that we use today are dependent on complex programming stacks. Through the years the programming community has injected all sorts of troubling dependencies in these stacks.

I generated the image with NightCafe. The shadowy figure over a lone computer programmer makes for an interesting #meme. You might notice that the programmer appears to have an extra hand. Night cafe often attaches extra tendrils to the subjects in the image.