Unveiling the Critical Attack Path for Implanting Backdoors in Supply Chains: Practical Experience from XZ
摘要
Recently, a previously unseen supply chain attack due to a backdoor in XZ Utils has been identified by A. Freund. This particular attack leverages highly sophisticated attack techniques, starting with social engineering attacks against the open source community up to implanting a backdoor in obfuscated binary blobs. This malware is designed to empower the attacker(s) to remotely run commands on vulnerable servers utilizing SSH evading authentication. A reverse dependency analysis revealed that the affected library is used by almost 30,000 packages in Debian and Ubuntu—the same order of magnitude as the GNU standard C library (glibc/libc6), a dependency for roughly 50,000 packages on these systems. This fact highlights the severity of such supply chain attacks and raises concerns about further backdoored packages still undetected in the wild. This paper identifies the critical attack path for successful implantation of such a backdoor and abstracts general key takeaways for future detection and mitigation of similar attacks. We also present SketchyCrawler, an open-source tool prototype designed to illustrate crawling repositories to reveal ‘sketchy’ signs of potential backdoor implantation attempts.