A sophisticated and extremely complex cyber attack was intended to open up hundreds of millions of computers to the attackers. Then Microsoft developer Andre’s friend stumbled upon a strange bug in his free time.
There are those moments when the world avoids catastrophe through a small act. Simply because someone does something small. Even the potentially largest cyber attack was only stopped in its early stages this week by chance. A single volunteer was bothered by a bizarre mistake.
“There were really a lot of coincidences,” explained Andre’s friend when he first published his find on the short message service Mastodon. The German works as a software developer for Microsoft in the USA and is not actually involved in IT security at work. And still discovered a backdoor that would have had gigantic potential for damage to almost the entire Internet.
Chance find
Freund told the New York Times how he stumbled upon it. He had just visited his parents and was on the flight back to California when some strange error messages appeared during routine testing of one of his software projects. Freund was overtired and didn’t feel the message was urgent. And didn’t care about it any further. It wasn’t until a few weeks later that he remembered the mistakes.
That was also a coincidence. While he was checking his software, he discovered that the SSH application was making unusual demands on the computer. The protocol is used for remote logging onto computers and servers and is one of the most important pillars of the Internet infrastructure. Upon closer inspection, he was able to trace the error back to the small utility software xz Utils – and the long-forgotten error messages came back to him. So he kept digging. In fact, he came across malicious code in the latest version of the program that opened a well-hidden backdoor. Which in turn enabled access to millions of computers and servers.
“It was very mysterious,” said Freund. “Someone has clearly gone to great lengths to hide what they are doing.”
Sophisticated cyber attack
Who exactly installed the back door is now being investigated. According to experts, the procedure and the level of knowledge required indicate that full professionals were at work here – probably even on behalf of the government. Only the user name “Jia Tan” can be found in the code, which is why a trace to Cina is suspected. However, it is extremely unlikely that it is a real name.
The fact that state hackers are suspected of being behind the attack is also due to the approach. The gap was cleverly implemented and also well camouflaged. The attack was apparently prepared for years: xz Utils – like large parts of the network’s most important infrastructure – is maintained by volunteers who work according to a principle of trust. Although theoretically anyone can suggest changes, only the so-called “maintainers” who must first prove themselves trustworthy are allowed to implement them. “Jia Tan” has also been working on the small program for years. From the end of 2021, he suggested changes, slowly built trust, and worked his way up to maintainer. Until he was finally able to install the secret back door in February. The other maintainer, Lasse Colli, has now confirmed this on his blog.
According to “Security Boulevard,” Jia Tan was supported by several other fake accounts that supported his suggestions for changes. “Someone was clearly playing for the long term here,” says expert Mike Larkin.
7 images
BSI is already warning
A warning from the Federal Office for Information Security (BSI) on Wednesday shows how great the danger is: “The vulnerability was rated as “critical” with the highest possible CVSS score – 10 out of 10,” the authority warns there. It therefore makes it possible to bypass authentication via SSH – i.e. allows unannounced access to third-party systems. “Due to the SSH daemon used on almost all Linux servers and the systemd service(s) that have been increasingly used in recent years, a large number of servers on the Internet are potentially affected by the vulnerability,” explains the BSI.
The fact that the damage appears to be minimal so far is because Freund stumbled over the back door very early on. Only a few Linux versions already use the latest version of xz.Utils, most others roll out updates more slowly. “It has had no effect in the real world so far,” security expert Will Dormann told Ars Technica. If the back door had only been discovered in a year or even later, things would have looked very different, Dormann believes. “If this had not been discovered, it would have been catastrophic for the world.”
Facebook’s former security chief Alex Stamos also shares this assessment: “This could have been one of the most widespread and effective backdoors of all time,” he told the New York Times. “It would be as if someone had the master key to hundreds of millions of computers.”
Unwilling hero
So it’s no wonder that Freund is celebrated as a hero in the community. Microsoft CEO Satya Nadella praised Freund’s curiosity and craftsmanship as exactly what the security community needs. Others compared him to a silverback gorilla. However, the accidental hero himself is rather uncomfortable with the hype surrounding him. He didn’t even want to be photographed for the interview with the NYT. “I find this all very strange,” he told the newspaper. “I’m a rather private guy who just sits in front of the computer and hacks through program code.”
In addition to his normal job, he now supports the team that is trying to uncover the origin of the attack. That’s why he doesn’t want to celebrate his success, he told the NYT. I don’t actually have time to toast it now.”
Sources:mastodon, New York Times, Ars Technica, Security Boulevard, X, BSI, Tuukani, swtch