XZ Utils Critical Backdoor (CVE- 2024-3094) - The Fallacy of Secure Open Source Code

Threat Talks - Your Gateway to Cybersecurity Insights

19-11-2024 • 29 mins

How much time would you spend on executing the perfect hack?

The user going by the name of ‘JIAT75’ spent almost three years infiltrating and contributing to a GitHub repo for one singular reason – access to release manager rights for the next XZ Utils update.


In this episode of Threat Talks, host Lieuwe Jan Koning is joined by Thomas Manolis, Information Security Officer at AMS-IX, and Jeroen Scheerder, Security Specialist at ON2IT, to discuss this meticulously executed breach in the open-source community.

Using clever social engineering tactics, Jia Tan (JIAT75) built a credible reputation within said community, gaining trust and access to introduce malicious code undetected. The breach was only discovered by chance when Andres Freund, an engineer at Microsoft, traced unusual system latency back to XZ Utils and uncovered the backdoor.

What exactly happened?

How lucky did we get with Freund discovering the backdoor? And how do we know that something like this hasn’t happened before?

🔔 Follow to Support our channel! 🔔 ► YOUTUBE: https://youtube.com/@ThreatTalks

► SPOTIFY: https://open.spotify.com/show/1SXUyUEndOeKYREvlAeD7E

► APPLE: https://podcasts.apple.com/us/podcast/threat-talks-your-gateway-to-cybersecurity-insights/id1725776520


🗾 Explore the XZ Utils Critical Backdoor Details 🗾


https://on2it.s3.us-east-1.amazonaws.com/Infographic-security-fallacies.pdf

Our exclusive infographic maps out the step-by-step tactics hackers use to exploit these vulnerabilities. Perfect for IT teams and Information Security Officers, it’s designed to help you stay one step ahead.

👕 Get your own Threat Talks T-shirt

https://threat-talks.com/breaking-the-illusion-exposing-security-fallacies/

🕵️ Threat Talks is a collaboration between ON2IT and AMS-IX

===

#ThreatTalks #ON2IT #Cybersecurity #Fallacies #CrowdStrike #SecurityMatters

You Might Like

The Rest Is Politics
The Rest Is Politics
Goalhanger
The News Agents
The News Agents
Global
Leading
Leading
Goalhanger
The Rest Is Politics: US
The Rest Is Politics: US
Goalhanger
Newscast
Newscast
BBC News
Ukraine: The Latest
Ukraine: The Latest
The Telegraph
Off Air... with Jane and Fi
Off Air... with Jane and Fi
The Times
Political Currency
Political Currency
Persephonica
Page 94: The Private Eye Podcast
Page 94: The Private Eye Podcast
Page 94: The Private Eye Podcast
Sky News Daily
Sky News Daily
Sky News
The Rest Is Money
The Rest Is Money
Goalhanger
The Daily
The Daily
The New York Times
The News Agents - USA
The News Agents - USA
Global
Today in Focus
Today in Focus
The Guardian
The Story
The Story
The Times
Electoral Dysfunction
Electoral Dysfunction
Sky News
James O'Brien - The Whole Show
James O'Brien - The Whole Show
Global
NPR News Now
NPR News Now
NPR
FT News Briefing
FT News Briefing
Financial Times
The Trawl
The Trawl
Jemma Forte & Marina Purkiss