Скачать или смотреть The XZ Util Deception An attack on OSS you're probably using - Improving Talks Series

From November 2021, thru February 2024 "Jia Tan" perpetrated a meticulous attack on a popular open-source data-compression library, XZ Utils. This sophisticated attack, assigned the highest possible CVSS score of 10.0, nearly granted its perpetrators unauthorized remote administrative access to millions of Linux systems worldwide through compromised SSH functionality.

We will delve into the multi-year campaign to learn how this perpetrator coerced the original maintainer into ceding control. We will explore the technical ingenuity of the backdoor, specifically how it injected hidden multi-stage malicious code into the liblzma library, while evading standard source code reviews. And we'll expose how the attacker intended to introduce additional vulnerabilities and achieve sustained access in subsequent versions.

This webinar will highlight the pivotal responsibiolity of the open-source communities, and discuss how the trust-based model inherent to OSS can be exploited. We will analyze the exploit and, more importantly, draw profound lessons learned to equip yourself with essential strategies for proactive security against similar advanced persistent threats in the future.