XZ Utils Critical Backdoor (CVE- 2024-3094) - The Fallacy of Secure Open Source Code
Description
⏰ How much time would you spend on executing the perfect hack? ⏰
The user going by the name of ‘JIAT75’ spent almost three years infiltrating and contributing to a GitHub repo for one singular reason – access to release manager rights for the next XZ Utils update.
In this episode of Threat Talks, host Lieuwe Jan Koning is joined by Thomas Manolis, Information Security Officer at AMS-IX, and Jeroen Scheerder, Security Specialist at ON2IT, to discuss this meticulously executed breach in the open-source community.
Using clever social engineering tactics, Jia Tan (JIAT75) built a credible reputation within said community, gaining trust and access to introduce malicious code undetected. The breach was only discovered by chance when Andres Freund, an engineer at Microsoft, traced unusual system latency back to XZ Utils and uncovered the backdoor.
What exactly happened?
How lucky did we get with Freund discovering the backdoor? And how do we know that something like this hasn’t happened before?
🔔 Follow to Support our channel! 🔔
► YOUTUBE: https://youtube.com/@ThreatTalks
► SPOTIFY: https://open.spotify.com/show/1SXUyUEndOeKYREvlAeD7E
🗾 Explore the XZ Utils Critical Backdoor Details 🗾
https://on2it.s3.us-east-1.amazonaws.com/Infographic-security-fallacies.pdf
Our exclusive infographic maps out the step-by-step tactics hackers use to exploit these vulnerabilities. Perfect for IT teams and Information Security Officers, it’s designed to help you stay one step ahead.
👕 Get your own Threat Talks T-shirt
https://threat-talks.com/breaking-the-illusion-exposing-security-fallacies/
🕵️ Threat Talks is a collaboration between ON2IT and AMS-IX
===
#ThreatTalks #ON2IT #Cybersecurity #Fallacies #CrowdStrike #SecurityMatters
United States
