From Reactive to Proactive: Shifting Cybersecurity Paradigms Post-XZ
- CyTest
- Apr 7, 2024
- 4 min read
Updated: Apr 8, 2024
A week into the XZ supply chain attack, most first responders will have run the gauntlet of reading blogs for actionable nuggets and listening to endless security vendor briefings.
But haven't we been down this road before? Why is this still an issue?
“History doesn’t repeat itself, but it often rhymes.” [1]
This article isn’t about new nuggets in XZ, but discusses the elements where the XZ backdoor rhymes with previous security incidents, and offers an alternative way of understanding how to be better prepared for these sorts of insidious attacks.
Unpacking the XZ Backdoor: A Security Wake-Up Call
Over a span of about 2.5 years[2], a user named Jia Tan started contributing changes to XZ. Gradually, Jia Tan built up trust with the community until he could submit changes containing the backdoor.
Although the initial suspicious commits may have occurred around Friday February 23, 2024, the broader world only became aware of this issue when Andres Freund made a post about it on Openwall[3]. Interestingly, this disclosure happened around the time of the Good Friday holiday, part of the Easter long weekend, when many people were likely away from their screens.
As first responders are brutally aware, attacks often hit during weekends[4] when security teams are typically understaffed and under more strain, compelling organizations to depend even more heavily on their security technology. This pattern of timing attacks for weekends is a recurring strategy, exploiting periods of reduced vigilance.
But here's the thing: a lot of the security tech out there isn’t really cut out for these kinds of attacks. That is, unless the tech is meticulously chosen for this purpose and subjected to regular in kind testing. This highlights the critical need for organizations to not only select their security solutions with care but also to continuously validate their effectiveness through rigorous testing, ensuring preparedness for attacks even during under-staffed times.
Stealth Tactics: From SolarWinds to XZ
The open source backdoor incident in XZ from October 29, 2021 to March 28, 2024, shares notable similarities with the breach of the SolarWinds Orion RMM (Remote Monitoring and Management) product, which spanned from September 4, 2019 to December 12, 2020. Both events have left security vendors and their clients searching for effective solutions.
SolarWinds revealed that attackers first breached their build environment on September 4, 2019[5], but the presence of the backdoor remained unknown to the public and SolarWinds' customers until Saturday December 12, 2020.
The SUNBURST backdoor deployed in SolarWinds was very sophisticated, with much of its malicious payload hidden in an encoded form, making it difficult to detect. This stealth tactic is somewhat mirrored in the XZ compromise, where the backdoor was cleverly concealed within a binary test file. Furthermore, SUNBURST utilized naming conventions[6] similar to those of the SolarWinds development team, enabling it to blend in seamlessly with legitimate source code. In contrast, the XZ backdoor was directly compromised by what appeared to be legitimate contributions from a member of the development community.
The implications of the SUNBURST backdoor were significant, impacting key security vendors like FireEye, Microsoft, and Cisco, and targeting government entities such as the Department of Energy and the National Nuclear Security Administration[7]. While we know that the XZ backdoor affect’s OpenSSH’s SSH server daemon, the full extent of the victims and the attackers' objectives remains unclear.
RMM Attack Evolution: Beyond SolarWinds and Kaseya
The SolarWinds RMM supply chain attack marked a significant turning point, triggering a wave of RMM and supply chain attacks. A notably sophisticated attack followed on Friday, July 2, 2021, when hackers targeted Kaseya VSA RMM software to deploy the REvil Ransomware. This particular assault took advantage of the long July 4th weekend, exploiting a vulnerability in the Windows Defender security product to execute the ransomware.
The strategy of combining legitimate RMM software with a compromised Windows Defender to facilitate the ransomware execution proved effective against many security defenses. Launching the attack right before a long weekend was strategic, catching security teams off-guard and under-resourced.
The SolarWinds incident paved the way for the Kaseya attack and set a precedent for a series of RMM-related attacks. These ranged from direct backdoor installations in the initial SolarWinds and Kaseya cases to exploiting vulnerabilities[8] and misconfigurations in various RMM tools. Attackers have also been known to install RMM software[9] as part of their strategies to maintain persistence and even sell access through Initial Access Broker (IAB) marketplaces. What consequences the XZ incident will lead to remains an open question.
Cybersecurity Evolved: Gaining an Edge Over Attackers
Have you been in discussions with leading EDR/SASE/ETC vendors who “guaranteed” their systems could preemptively protect against zero-day threats, including notorious incidents like the Kaseya-REvil ransomware, only to be let down when their defenses failed during a crucial moment—perhaps during a holiday weekend? These experiences, shared by many security engineers, spotlight the genuine obstacles and occasional letdowns in the field of cybersecurity.
Embracing a strategy of continuous endpoint testing with an assumed breach mindset represents a forward-thinking approach. This tactic prepares for major attacks like zero-days and supply chain attacks and presumes that attackers may have already penetrated perimeter defenses, potentially accessing internal systems. It emphasizes the relentless scrutiny of all organizational endpoints to uncover misconfigurations and potential backdoors, including those introduced through supply chain vulnerabilities. CyTest couples continuous assumed breach testing with a predictive understanding of what attackers could do.
To fortify your cybersecurity posture effectively, it is essential to:
Choose the most reliable security solutions for every layer of your security framework, and validate its changing effectiveness through automated continuous assumed breach testing.
Constantly ensure optimal configuration of every security tool from the perspective of all endpoints.
Equip your security team with the expertise and tools necessary to manage and mitigate incidents like these efficiently.
Regularly run both live fire drills and tabletop exercises using simulations to practice defending against complex threats like supply chain attacks.
Reduce redundancy in security coverage.
Adopting these measures can significantly enhance your organization's defense mechanisms, reducing the risk of security breaches and ensuring a robust response to emerging threats.
About CyTest
CyTest provides tailored and automated audits of client security systems to ensure optimal security configurations, continuous automated testing for potential threats, and support live fire drills with simulated, unexpected major attacks.
Don't get caught off guard by the next major attack. CyTest simulates potential attacks in your environment before they happen, allowing you to identify and prioritize workflows effectively.
Endnotes
2021-10-29 to 2024-03-28 https://research.swtch.com/xz-timeline
https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/
https://www.reversinglabs.com/blog/sunburst-the-next-level-of-stealth
https://www.msspalert.com/news/connectwise-vulnerabilities-have-the-msp-world-abuzz
An example of the installation of legitimate RMM tools is shown in the excellent analysis from the DFIR Report https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/
