Akira Ransomware Threat Actors Observed Targeting Cisco ASA SSL VPNs with Credential Stuffing Attacks
Akira Ransomware Threat Actors Observed Targeting Cisco ASA SSL VPNs with Credential Stuffing Attacks
UltraViolet Cyber
A software engineer from Microsoft was troubleshooting slow SSH logins and ended up finding malware.
The malware, found in Linux utility xz/liblzma, was a backdoor which allowed for unauthorized remote
access of Linux systems. This backdoor was implemented by a new, mysterious, maintainer of xz, an
opensource compression tool. Since the backdoor was caught early on, only the versions of xz/liblzma
are 5.6.0 and 5.6.1 are affected. Currently, only cutting-edge versions of major Linux distros are
vulnerable.
In a Hollywood-styled cybersecurity caper, a software engineer accidentally uncovered a
cybersecurity attack that was years in the making. Labeled CVE-2024-3094, this vulnerability is an SSH
backdoor in the opensource Linux utility xz/liblzma which allows for remote code execution and
compromise of Linux servers. Software Engineer Andres Freund was investigating slow SSH login times
traced the backdoor to xz, a dependency of OpenSSH.
An ongoing investigation has revealed that the backdoor appears to have been created by project
maintainer Jia Tan, who might not be a real person. The current attack timeline shows that Jia Tan
appeared out of thin air sometime in 2021 and started making contributions to the xz project. After a
couple of years of contributions and the help of some sock puppet accounts, Jia is given permission to
help maintain the project. Once a maintainer, the backdoor code is added to the project and begins to be
pushed out to different Linux distros. The rollout was just beginning when it was discovered by Andres
Freund. This attack has the hallmarks of a nation state actor, but no attribution has been made.
Since the investigation into the XZ backdoor is ongoing, the details surrounding the vulnerability are slim
and inconsistent. However, it appears that the backdoored code targeted decryption routines in
OpenSSH and allowed attackers with a specific key to execute code before the authentication step,
effectively bypassing it. With the discovery coming so early in the rollout process, only the cutting-edge
versions of Linux distributions appear to be impacted. If a system meets the following conditions, it is
advised to downgrade the XZ utility to an uncompromised version.
Boehs, Evan. Everything I Know about the XZ Backdoor, 29 Mar. 2024, boehs.org/node/everything-i-know-about-the-xz-backdoor.
Freund, Andres. “Oss-Security - Backdoor in Upstream XZ/Liblzma Leading to SSH Server Compromise.” Openwall, www.openwall.com/lists/oss-security/2024/03/29/4. Accessed 7 Apr. 2024.
James, Sam. “XZ-Utils Backdoor Situation (CVE-2024-3094).” Gist, gist.github.com/thesamesam/. Accessed 8 Apr. 2024.
Lcamtuf. “Techies vs Spies: The XZ Backdoor Debate.” Techies vs Spies: The Xz Backdoor Debate, lcamtuf’s thing, 30 Mar. 2024, lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor.
Menashe, Shachar, et al. “XZ Backdoor Attack CVE-2024-3094: All You Need to Know.” JFrog, 7 Apr. 2024, jfrog.com/blog/xz-backdoor-attack-cve-2024-3094-all-you-need-to-know/.
We’re here to help. Get in touch for an initial conversation with one of our security experts and learn more about how UltraViolet Cyber can help you take cyber readiness and resilience to new levels.