Home
cover of episode Risky Biz News: Epic supply chain attack on Linux SSH

Risky Biz News: Epic supply chain attack on Linux SSH

2024/3/31
logo of podcast Risky Business News

Risky Business News

Shownotes Transcript

A supply chain attack impacts multiple Linux distros, AT&T confirms a 2019 data breach, Canonical switches to manual reviews after a flood of scammy apps, and HP finally leaves Russia.

This is Risky Business News, prepared by Katalin Kimpanu and read by me, Clare Eyred. Today is the 1st of April, and this podcast episode is brought to you by Resourcely, the company that can help you manage Terraform securely. In today's top story, software engineer Andres Freund has discovered a secret backdoor in the XZUtils compression library.

The backdoor allows attackers to execute code on Linux systems that have SSH enabled and use a recent version of the XZutils library. Malicious versions of the XZ library were available online for almost a month before the backdoor mechanism was discovered. These versions were included in unstable versions of several Linux distributions, such as Debian, Fedora, and many others. The backdoor had not yet shipped with stable Linux distros.

Freund says he discovered the backdoor by accident while investigating high CPU usage in the SSH process. He tracked down the backdoor to a mysterious online persona named Gia Tan. The threat actor played the long game. They began contributing code to the XZUtils project in 2022 and became a maintainer last year. They used multiple sock puppet accounts to pressure the XZUtils to add a new maintainer to the project.

They also contributed code to other open source projects and investigations into their actions are underway. In other news, AT&T has acknowledged that hackers have stolen the information of 73 million customers. The company says the data originates from a 2019 security breach. AT&T says the data contains information on 7.6 million current subscribers and 65.4 million former customers. The

The company said it found no evidence of a breach of its systems, suggesting the incident might have impacted a third party. AT&T confirmed the breach after a threat actor began selling the data on a hacking forum in mid-March. It repeatedly denied the authenticity of the data until the Friday before the Easter holiday. AT&T is currently resetting user account passcodes.

A threat actor has stolen $11.6 million worth of assets from cryptocurrency platform Prisma Finance. The attacker claimed to be a security researcher and described the hack as a white hat rescue. Unlike in similar cases, the attacker has dragged out negotiations and has not yet returned the stolen funds.

The British Nuclear Energy Watchdog has started legal proceedings against the Sellafield Nuclear Material Processing Site. The UK Office for Nuclear Regulation has charged the site's operators with cyber security violations between 2019 and 2023. The Sellafield plant suffered a ransomware attack in December of last year.

The US government has refused to identify the leader of its Joint Election Security Task Force. Officials say they want to shield its task force from threats and harassment. The task force is named the Election Security Group and operates under US Cyber Command and the National Security Agency.

The Indian government says it worked with Cambodian authorities to rescue and repatriate Indian nationals forced to work in cybercrime compounds. Officials say they repatriated 75 nationals over the past three months, bringing the total to 250. Cambodia joins Myanmar, Indonesia and the Philippines in cracking down on cybercrime compounds, freeing and repatriating trapped workers.

Canonical has switched to doing manual reviews for all apps submitted to the Ubuntu OS App Store. The company changed its procedures after multiple publishers attempted to upload malicious crypto wallet applications to the store. Canonical intends to create a separate app submission policy for cryptocurrency wallets going forward. It previously rolled out verified accounts as a way for users to spot impersonators.

American computer and printer maker HP has completed its exit from the Russian market. The company stopped all shipments to Russia in February 2022 after its invasion of Ukraine. It began winding down operations in May of the same year and had planned for a final exit in May this year. HP pulled out of Russia last week, two months ahead of its planned departure. The move has surprised Russian companies, which cannot update drivers or contact support.

And finally, instant messaging service Telegram has rolled out a new privacy feature that allows users to restrict who can message them. The feature will first roll out to users in Russia, Belarus and Ukraine. Telegram rolled out the feature after Russian users reported receiving messages from strangers calling for terrorist attacks. And that is all for this podcast edition. Today's show was brought to you by our sponsor, Resourcely. Find them at resourcely.io. Thanks for your company.