Microsoft Engineer Thwarts Backdoor Attack … in Linux
- Paul Thurrott
- Apr 02, 2024
-
31
A Microsoft engineer recently discovered a backdoor attack in a set of compression utilities that was about to be added to multiple Linux distributions, narrowly averting what security researchers say would have been “a nightmare scenario.” The most incredible part of this story? He found the backdoor accidentally.
“I was doing some micro-benchmarking, needed to quiesce the system to reduce noise,” Microsoft’s Andres Freund later explained on Mastodon. “Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc. … Got suspicious … Really required a lot of coincidences.”
Windows Intelligence In Your Inbox
Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!
"*" indicates required fields
Freund reported the backdoor attack last Friday, noting that it can be found in XZ Utils versions 5.6.0 and 5.6.1, which were set for distribution across multiple Linux distributions in stable in the coming days. And while it’s still early days in the security investigation, it appears that the individual who uploaded the malicious payload had spent over two years becoming a trusted contributor to the XZ codebase so that he could launch this attack.
“This might be the best executed supply chain attack we’ve seen described in the open, and it’s a nightmare scenario: malicious, competent, authorized upstream in a widely used library,” cryptographer Filippo Valsorda tweeted.. “It has everything: malicious upstream, masterful obfuscation, detection due to performance degradation, inclusion in OpenSSH via distro patches.”
Freund’s heroic save has been widely lauded, including by Microsoft CEO Satya Nadella, who took to his company’s LinkedIn service, naturally, to praise the engineer.
“Love seeing how Andres Freund, with his curiosity and craftsmanship, was able to help us all,” he wrote. “Security is a team sport, and this is the culture we need everywhere.”
Even the U.S. government has taken note, with National Cyber Director Anjana Rajas describing the attempted attack as “an insider threat in the open source ecosystem, which we haven’t really seen before.” And the Cyber Defense Agency issued an alert calling on experts to help find similar malicious activities.
If this doesn’t soften the Linux community’s stance on Microsoft, nothing will.