Protecting against a Supply Chain Compromise should not be solely a function of luck but sometimes it can be. This was particularly evident in the recent supply chain compromise involving XZ Utils, an open-source data compression utility widely used across Linux and Unix-like operating systems. On March 29th, a malicious commit was discovered in the XZ Utils repository, introducing a backdoor that would compromise systems running the software. This backdoor allowed unauthorized users with a specific encryption key to inject arbitrary code via an SSH login certificate. The motives behind this backdoor are still under investigation.
How Does Vectra AI Protect Customers from Exploits Like the XZ Utils Backdoor?
The Vectra AI Platform can identify attackers exploiting these types of backdoors. In incidents where backdoors like the one found in XZ Utils are exploited, Vectra AI's detection capabilities would identify the core sequence of the attacker's progression from remote access, and discovery, to lateral movement, well before the attack could achieve its objectives. The relevant detections related specifically to XZ Utils being exploited include reverse SSH tunnels that would be triggered by Suspicious Remote Access and lateral movement over the SSH protocol detected by Suspicious Admin.
How Can I Find Out if I Was Exposed to the XZ Utils Vulnerability?
In response to the XZ Utils exploit, a project named xzbot has been introduced by the community. It offers tools for organizations to assess their exposure to this vulnerability, including:
- honeypot: fake vulnerable server to detect exploit attempts
- ed448 patch: patch liblzma.so to use our own ED448 public key
- backdoor format: format of the backdoor payload
- backdoor demo: cli to trigger the RCE assuming knowledge of the ED448 private key
How Can I Protect Against Supply Chain Compromises in the Future?
It's crucial to understand that incidents like this should not deter organizations from using open-source software. Supply chain risks are not exclusive to open-source projects; they can also affect commercial software, as seen in the SolarWinds breach. The key to mitigating these risks lies in adopting detection and response technologies, like Vectra AI, which can identify threats regardless of the exploits used by attackers. Vectra AI removes the need for luck to be the sole method for preventing a Supply Chain Compromise. It enables detection as a means of reliably seeing an attacker if they were to abuse XZ Utils or whatever other exploits are lying in wait by focusing on behaviors as they span, network, identity, and cloud.
As the threat landscape continues to evolve, we'll continue to provide updated resources to give defenders insight into threat actors like Scattered Spider, Midnight Blizzard (APT29), and more.