CVE-2024-3094
published 2024-03-29CVE-2024-3094: Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process…
PriorityP185critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
85.97%
99.7th percentile
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0.
Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | xz-utils | < xz-utils 5.6.1+really5.4.5-1 (forky) | xz-utils 5.6.1+really5.4.5-1 (forky) |
| lighttpd | lighttpd | >= 0 < 1.4.76-r0 | 1.4.76-r0 |
| lighttpd | lighttpd | >= 0 < 1.4.76-r0 | 1.4.76-r0 |
| lighttpd | lighttpd | >= 0 < 1.4.76-r0 | 1.4.76-r0 |
| lighttpd | lighttpd | >= 0 < 1.4.76-r0 | 1.4.76-r0 |
| paloalto | cloud_ngfw | — | — |
| paloalto | cortex_xdr | — | — |
| paloalto | cortex_xdr_agent | — | — |
| paloalto | globalprotect_app | — | — |
| paloalto | pan-os | — | — |
| paloalto | prisma_access | — | — |
| paloalto | prisma_cloud | — | — |
| paloalto | prisma_cloud_compute | — | — |
| tukaani | xz | — | — |
| tukaani | xz | — | — |
| tukaani | xz | >= 0 < 5.6.1-r2 | 5.6.1-r2 |
| tukaani | xz | >= 0 < 5.6.1-r2 | 5.6.1-r2 |
| tukaani | xz | >= 0 < 5.6.1-r2 | 5.6.1-r2 |
| tukaani | xz | >= 0 < 5.6.1-r2 | 5.6.1-r2 |
Detection & IOCsextracted from sources · hover to see the quote
commandfor xz_p in $(type -a xz | awk '{print $NF}' | uniq); do strings "$xz_p" | grep "xz (XZ Utils)" || echo "No match found for $xz_p"; done↗
bytes↗
~!:_ W
bytes↗
|_!{ -bytes↗
jV!.^%
bytes↗
%.R.1Z
- →The malicious code is only present in the complete download tarballs, NOT in the Git repository source — the M4 macro (m4/build-to-host.m4) that triggers the backdoor build process is absent from Git. ↗
- →The backdoor hooks RSA_public_decrypt in OpenSSH via glibc's IFUNC mechanism; hunt for unexpected IFUNC resolver overrides in liblzma-linked processes, especially sshd. ↗
- →Anomalous SSH login slowness on Debian Sid / Fedora systems running xz 5.6.0 or 5.6.1 was the original discovery signal; treat unexplained sshd latency as a hunt pivot. ↗
- →Presence of environment variable `is_arch_extension_supported` being replaced by `_get_cpuid`, or `__get_cpuid` being overridden by a malicious object file, are runtime IOCs indicating active backdoor injection. ↗
- →The backdoor only injects when built on Linux with GCC, targeting Debian or Fedora distributions, and only when `config.status` is present — build environment checks can be used to scope exposure. ↗
- →In version 5.6.1, the Stage 1 payload includes an OS check repeated five times to ensure injection only on Linux; this repeated check pattern is detectable in static analysis of the extracted script. ↗
- →Docker images based on Debian with xz-utils 5.6.0 or 5.6.1 remain on Docker Hub; scan container images for the backdoored liblzma.so before pulling or deploying. ↗
- →The backdoor activates only when sshd is invoked via systemd; sshd started outside of systemd does not trigger the full backdoor, which can be used as a differential diagnostic. ↗
- ·The backdoor is only present in xz-utils versions 5.6.0 and 5.6.1; versions 5.4.x and earlier are unaffected. Downgrade to 5.4.x or upgrade to 5.6.2+ to remediate. ↗
- ·No versions of Red Hat Enterprise Linux (RHEL) are affected; impact is scoped to Fedora 41/Rawhide and Debian unstable (Sid) and other rolling distributions that patched sshd with liblzma. ↗
- ·The backdoor was tailored to distributions that patch their SSH daemon with liblzma; systems where sshd is NOT linked against liblzma are not exploitable via this vector. ↗
- ·Version 5.6.1 introduced modularity allowing future payloads to be injected via binary test blobs in tests/files/ without new build-file commits, meaning future variants may not require changes to m4/build-to-host.m4. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
osv10.0CRITICAL
vendor_debian10.0LOW
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
Informational: Impact of Malicious Code in XZ Tools and Libraries (CVE-2024-3094)
vendor_paloalto·2024-04-01·CVSS 10.0
CVE-2024-3094 [CRITICAL] CWE-506 Informational: Impact of Malicious Code in XZ Tools and Libraries (CVE-2024-3094)
Informational: Impact of Malicious Code in XZ Tools and Libraries (CVE-2024-3094)
The Palo Alto Networks Product Security Assurance team has evaluated the supply chain compromise impacting versions 5.6.0 and 5.6.1 of XZ tools and libraries. These versions of the software may allow unauthorized access to affected systems.
Based on the information presently known, Palo Alto Networks products and cloud services do not contain affected XZ software packages and are not impacted by these issues.
Please refer to the Unit42 Threat Brief for the latest guidance and product offerings to protect customers from CVE-2024-3094 in their environments: https://unit42.paloaltonetworks.com/threat-brief-xz-utils-cve-2024-3094/
Affected products: Cloud NGFW, Cortex XDR, Cortex XDR Agent, GlobalProtect App
Red Hat
xz: malicious code in distributed source
vendor_redhat·2024-03-29·CVSS 10.0
CVE-2024-3094 [CRITICAL] CWE-506 xz: malicious code in distributed source
xz: malicious code in distributed source
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0.
Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0.
Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to
Debian
CVE-2024-3094: xz-utils - Malicious code was discovered in the upstream tarballs of xz, starting with vers...
vendor_debian·2024·CVSS 10.0
CVE-2024-3094 [CRITICAL] CVE-2024-3094: xz-utils - Malicious code was discovered in the upstream tarballs of xz, starting with vers...
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved (fixed in 5.6.1+really5.4.5-1)
sid: resolved (fixed in 5.6.1+really5.4.5-1)
trixie: resolved (fixed in 5.6.1+really5.4.5-1)
OSV
CVE-2024-3094: Malicious code was discovered in the upstream tarballs of xz, starting with version 5
osv·2024-03-29·CVSS 10.0
CVE-2024-3094 [CRITICAL] CVE-2024-3094: Malicious code was discovered in the upstream tarballs of xz, starting with version 5
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0.
Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
GHSA
GHSA-rxwq-x6h5-x525: Malicious code was discovered in the upstream tarballs of xz, starting with version 5
ghsa_unreviewed·2024-03-29
CVE-2024-3094 [CRITICAL] CWE-506 GHSA-rxwq-x6h5-x525: Malicious code was discovered in the upstream tarballs of xz, starting with version 5
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. The tarballs included extra .m4 files, which contained instructions for building with automake that did not exist in the repository. These instructions, through a series of complex obfuscations, extract a prebuilt object file from one of the test archives, which is then used to modify specific functions in the code while building the liblzma package. This issue results in liblzma being used by additional software, like sshd, to provide functionality that will be interpreted by the modified functions.
OSV
CVE-2024-3094: Malicious code was discovered in the upstream tarballs of xz, starting with version 5
osv·2024-03-29·CVSS 10.0
CVE-2024-3094 [CRITICAL] CVE-2024-3094: Malicious code was discovered in the upstream tarballs of xz, starting with version 5
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
No detection rules found.
Nuclei
XZ - Embedded Malicious Code
nuclei·CVSS 10.0
CVE-2024-3094 [CRITICAL] XZ - Embedded Malicious Code
XZ - Embedded Malicious Code
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Template:
id: CVE-2024-3094
info:
name: XZ - Embedded Malicious Code
author: pdteam
severity: critical
description: |
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process ex
Wiz
RCE meaning: Remote code execution attacks explained | Wiz
blogs_wiz·2026-02-18
RCE meaning: Remote code execution attacks explained | Wiz
## What is a remote code execution (RCE) attack?
A remote code execution (RCE) attack is a cyberattack where an attacker runs malicious code on a target system from a remote location. This means someone who has no physical access to your servers can still execute commands as if they were sitting at the keyboard.
RCE ranks among the most severe vulnerability classes because attackers often need no authentication or user interaction to exploit it. Once they gain code execution, they can steal sensitive data, install persistent backdoors, escalate privileges, or pivot to other systems on your network.
The consequences extend beyond the initial compromise. A single RCE vulnerability in an internet-facing application can give attackers a foothold to move laterally through your environment, e
Wiz
RCE meaning: Remote code execution attacks explained | Wiz
blogs_wiz·2026-02-18
RCE meaning: Remote code execution attacks explained | Wiz
## What is a remote code execution (RCE) attack?
A remote code execution (RCE) attack is a cyberattack where an attacker runs malicious code on a target system from a remote location. This means someone who has no physical access to your servers can still execute commands as if they were sitting at the keyboard.
RCE ranks among the most severe vulnerability classes because attackers often need no authentication or user interaction to exploit it. Once they gain code execution, they can steal sensitive data, install persistent backdoors, escalate privileges, or pivot to other systems on your network.
The consequences extend beyond the initial compromise. A single RCE vulnerability in an internet-facing application can give attackers a foothold to move laterally through your environment, e
Elastic
Automating GOAD and Live Malware Labs — Elastic Security Labs
blogs_elastic·2026-02-05
Automating GOAD and Live Malware Labs — Elastic Security Labs
5 February 2026•Nic Palmer•Adrian Chen
# Automating GOAD and Live Malware Labs
Cyber Ranges as Code with Ludus and Elastic
22 min readEnablement
## Introduction: The Need for a Scalable, Automated Simulation Range
In modern security operations, detection engineering is no longer a “set it and forget it” discipline. The central challenge for any security team – and the question that underpins the entire purple-team approach is simple: how do you know whether your detection rules genuinely work? Continually validating detection logic against an ever-shifting adversary toolkit is now a fundamental requirement.
Arguably, the largest hurdle for this exercise has always been setting up the lab. Manually provisioning a multi-domain Active Directory forest, configuring it with specific vulne
Elastic
Automating GOAD and Live Malware Labs — Elastic Security Labs
blogs_elastic·2026-02-05
Automating GOAD and Live Malware Labs — Elastic Security Labs
## Automating GOAD and Live Malware Labs
Cyber Ranges as Code with Ludus and Elastic
## Introduction: The Need for a Scalable, Automated Simulation Range
In modern security operations, detection engineering is no longer a “set it and forget it” discipline. The central challenge for any security team – and the question that underpins the entire purple-team approach is simple: how do you know whether your detection rules genuinely work? Continually validating detection logic against an ever-shifting adversary toolkit is now a fundamental requirement.
Arguably, the largest hurdle for this exercise has always been setting up the lab. Manually provisioning a multi-domain Active Directory forest, configuring it with specific vulnerabilities, and deploying a separate, contained malware analys
Wiz
Open-Source Security: Best Practices and Tools | Wiz
blogs_wiz·2025-09-05
Open-Source Security: Best Practices and Tools | Wiz
## What is open source security?
Open-source security protects software built with publicly available code. It involves finding vulnerabilities, assessing risks, and implementing safeguards throughout the software lifecycle. These practices keep open-source projects secure from development to production.
Because open-source software plays a key role in software development its security has never been more essential. Powering everything from operating systems like Linux to databases like PostgreSQL, OSS is here to stay. And with the rise of cloud services and AI technologies, which often rely on OSS, open-source adoption is poised to increase. According to a report by Red Hat, 95% of IT leaders agree that open-source solutions are strategically important to their organization’'s overall e
Wiz
Open-Source Security: Best Practices and Tools | Wiz
blogs_wiz·2025-09-05
Open-Source Security: Best Practices and Tools | Wiz
## What is open source security?
Open-source security protects software built with publicly available code. It involves finding vulnerabilities, assessing risks, and implementing safeguards throughout the software lifecycle. These practices keep open-source projects secure from development to production.
Because open-source software plays a key role in software development its security has never been more essential. Powering everything from operating systems like Linux to databases like PostgreSQL, OSS is here to stay. And with the rise of cloud services and AI technologies, which often rely on OSS, open-source adoption is poised to increase. According to a report by Red Hat , 95% of IT leaders agree that open-source solutions are strategically important to their organization’'s overall
Bleepingcomputer
Docker Hub still hosts dozens of Linux images with the XZ backdoor
blogs_bleepingcomputer·2025-08-12·CVSS 10.0
[CRITICAL] Docker Hub still hosts dozens of Linux images with the XZ backdoor
## Docker Hub still hosts dozens of Linux images with the XZ backdoor
## Bill Toulas
Binarly researchers have discovered numerous Docker images still impacted by the XZ-Utils backdoor.
"At first glance, this might not seem alarming: if the distribution packages were backdoored, then any Docker images based on them would be infected as well," reports Binarly.
"However, what we discovered is that some of these compromised images are still publicly available on Docker Hub. And even more troubling, other images have been built on top of these infected base images, making them transitively infected."
Binarly reported the images to Debian, one of the maintainers still offering backdoored images, who decided not to take them offline, citing low risk and importance of archiving continuity.
T
Wiz
Crying out Cloud: Our Favorite Stories of 2024 | Wiz Blog
blogs_wiz·2025-04-09·CVSS 10.0
[CRITICAL] Crying out Cloud: Our Favorite Stories of 2024 | Wiz Blog
2024 certainly had its share of tumultuous events that shaped the perceptions of cloud customers everywhere — there were supply chain attacks, critical 0-day vulnerabilities, and advancements in both AI and AI security. All left their mark on how we approach cloud security.
As the year came to a close, the Crying out Cloud team (Eden, Merav and Amitai) sat down to discuss what we felt were our most interesting podcast episodes and newsletter editions of 2024. Here are our top picks from the past year:
# High Profile Vulnerabilities
## Merav’s pick – XZ Utils backdoor
CVE-2024-3094 is one of the most intriguing stories of the year. A stealthy backdoor was hidden in XZ Utils, compromising SSH authentication in certain Linux distributions. The attack was highly sophisticated, with obfusca
Wiz
Crying out Cloud: Our Favorite Stories of 2024 | Wiz Blog
blogs_wiz·2025-04-09·CVSS 10.0
[CRITICAL] Crying out Cloud: Our Favorite Stories of 2024 | Wiz Blog
2024 certainly had its share of tumultuous events that shaped the perceptions of cloud customers everywhere — there were supply chain attacks, critical 0-day vulnerabilities, and advancements in both AI and AI security. All left their mark on how we approach cloud security.
As the year came to a close, the Crying out Cloud team ( Eden , Merav and Amitai ) sat down to discuss what we felt were our most interesting podcast episodes and newsletter editions of 2024. Here are our top picks from the past year:
## High Profile Vulnerabilities
## Merav’s pick – XZ Utils backdoor
CVE-2024-3094 is one of the most intriguing stories of the year. A stealthy backdoor was hidden in XZ Utils, compromising SSH authentication in certain Linux distributions. The attack was highly sophisticated, with obf
Wiz
What Is Defense In Depth? Best Practices For Layered Security | Wiz
blogs_wiz·2024-11-08·CVSS 10.0
[CRITICAL] What Is Defense In Depth? Best Practices For Layered Security | Wiz
## What is defense in depth?
Defense in depth (DiD)—also known as layered defense—is a cybersecurity strategy that aims to safeguard data, networks, systems, and IT assets by using multiple layers of security controls. DiD involves a series of overlapping defense mechanisms (think security tools, procedures, and best practices) designed to keep systems resistant to full penetration. The idea is that if one defense layer is breached, other layers will prevent the attacker from advancing through the systems or reaching valuable assets.
The XZ Utils backdoor ( CVE-2024-3094 ), which allowed remote code execution on affected Linux systems, shows the pressing need for defense in depth. After all, businesses who already have a defense-in-depth strategy were able to detect and respond to the vu
Wiz
What Is Defense In Depth? Best Practices For Layered Security | Wiz
blogs_wiz·2024-11-08·CVSS 10.0
[CRITICAL] What Is Defense In Depth? Best Practices For Layered Security | Wiz
## What is defense in depth?
Defense in depth (DiD)—also known as layered defense—is a cybersecurity strategy that aims to safeguard data, networks, systems, and IT assets by using multiple layers of security controls. DiD involves a series of overlapping defense mechanisms (think security tools, procedures, and best practices) designed to keep systems resistant to full penetration. The idea is that if one defense layer is breached, other layers will prevent the attacker from advancing through the systems or reaching valuable assets.
The XZ Utils backdoor (CVE-2024-3094), which allowed remote code execution on affected Linux systems, shows the pressing need for defense in depth. After all, businesses who already have a defense-in-depth strategy were able to detect and respond to the vuln
Tenable
From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25
blogs_tenable·2024-10-22
From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
How open source SIEM and XDR tackle evolving threats
blogs_bleepingcomputer·2024-10-09
How open source SIEM and XDR tackle evolving threats
## How open source SIEM and XDR tackle evolving threats
## Wazuh
In today's cybersecurity landscape, evolving threats require security solutions that match the sophistication of modern threats. As businesses rapidly adopt emerging technologies, their exposure to cyberattacks increases. To mitigate these risks, cybersecurity teams need adaptable and comprehensive tools to protect their digital ecosystems effectively.
Security Information and Event Management (SIEM) and Extended Detection and Response (XDR) platforms play a major role in many organizations' cybersecurity strategies.
These tools provide robust visibility, real-time monitoring, threat hunting, and automated response capabilities designed to address emerging cyber threats effectively.
## The role of SIEM and XDR in modern
Securelist
IT threat evolution Q2 2024
blogs_securelist·2024-09-03
IT threat evolution Q2 2024
Table of Contents
Targeted attacks
XZ backdoor: a supply chain attack in the making
Timeline of events
DuneQuixote campaign targeting the Middle East
ToddyCat: punching holes in your infrastructure
Other malware
QakBot attacks with Windows zero-day
Using the LockBit builder to generate targeted ransomware
Stealers, stealers and more stealers
ShrinkLocker: turning BitLocker into a ransomware utility
Authors
David Emm
## Targeted attacks
## XZ backdoor: a supply chain attack in the making
On March 29, a message on the Openwall oss-security mailing list announced the discovery of a backdoor in XZ, a compression utility included in many popular Linux distributions. The backdoored library is used by the OpenSSH server process sshd . On a number of systemd -based distributions, in
Securelist
Malware report for Q2 2024 — a quarterly review
blogs_securelist·2024-09-03
Malware report for Q2 2024 — a quarterly review
Table of Contents
- Targeted attacks
- Other malware
Authors
- David Emm
## Targeted attacks
### XZ backdoor: a supply chain attack in the making
On March 29, a message on the Openwall oss-security mailing list announced the discovery of a backdoor in XZ, a compression utility included in many popular Linux distributions. The backdoored library is used by the OpenSSH server process sshd. On a number of systemd-based distributions, including Ubuntu, Debian and RedHat/Fedora Linux, OpenSSH is patched to use systemd features and is therefore dependent on the library (Arch Linux and Gentoo are not affected). The code was inserted in February and March 2024, mostly by Jia Cheong Tan – probably a fictitious identity. We suspect that the goal of the attack was to introduce exclusive remote
Securelist
Kaspersky report on APT trends in Q2 2024
blogs_securelist·2024-08-13
Kaspersky report on APT trends in Q2 2024
Table of Contents
- Most notable findings
- Chinese-speaking activity
- Middle East
- Southeast Asia and Korean Peninsula
- Hacktivism
- Other interesting discoveries
- Final thoughts
Authors
- GReAT
For over six years now, Kaspersky’s Global Research and Analysis Team (GReAT) has been sharing quarterly updates on advanced persistent threats (APTs). These summaries draw on our threat intelligence research, offering a representative overview of what we’ve published and discussed in more detail in our private APT reports. They’re designed to highlight the key events and findings that we think people should know about.
In this latest installment, we focus on activities that we observed during Q2 2024.
Readers who would like to learn more about our intelligence reports or request more i
Securelist
APT trends report Q2 2024
blogs_securelist·2024-08-13
APT trends report Q2 2024
Table of Contents
Most notable findings
Chinese-speaking activity
Middle East
Southeast Asia and Korean Peninsula
Hacktivism
Other interesting discoveries
Final thoughts
Authors
GReAT
For over six years now, Kaspersky’s Global Research and Analysis Team (GReAT) has been sharing quarterly updates on advanced persistent threats (APTs). These summaries draw on our threat intelligence research, offering a representative overview of what we’ve published and discussed in more detail in our private APT reports. They’re designed to highlight the key events and findings that we think people should know about.
In this latest installment, we focus on activities that we observed during Q2 2024.
Readers who would like to learn more about our intelligence reports or request more information
Fortinet
New and Emerging Cybersecurity Threats and Attacker Tactics | CISO Collective
blogs_fortinet·2024-08-07·CVSS 10.0
[CRITICAL] New and Emerging Cybersecurity Threats and Attacker Tactics | CISO Collective
New and Emerging Cybersecurity Threats and Attacker Tactics
By Ricardo Ferreira | August 07, 2024
As cyberthreats continue to evolve nearly four decades after the first computer virus for PCs emerged in 1986, the cybersecurity landscape faces increasingly sophisticated challenges. While many are familiar with common threats like phishing and ransomware, newer, more targeted attacks are emerging, threatening the very foundations of our digital infrastructure.
In this post, we explore these emerging threats, focusing on supply chain risks, open-source software vulnerabilities, and the integration of generative AI (GenAI) into business operations. We’ll also discuss strategic defense tactics that organizations can adopt to stay ahead of these evolving challenges.
Supply Chain Cyber Risks
Zscaler
CVE-2024-6387 & CVE-2024-6409 | ThreatLabz
blogs_zscaler·2024-08-05·CVSS 8.1
[HIGH] CVE-2024-6387 & CVE-2024-6409 | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Wiz
Guardians of Compliance: Unleashing the Magic of Wiz4Wiz | Wiz Blog
blogs_wiz·2024-07-09
Guardians of Compliance: Unleashing the Magic of Wiz4Wiz | Wiz Blog
Since the beginning of Wiz, our security team has been using an internal instance of the product, called Wiz4Wiz. It gives greater visibility into our resources and enables a shift left atmosphere that focuses on security principles – from design to implementation.
The democratization of security does not stop there. The goal of our Governance, Risk, and Compliance (GRC) function (part of the Wiz Security Team) is to ensure that we follow regulatory requirements, industry standards, and internal policies. Head of GRC Max Anand stresses the importance of using Wiz4Wiz to gain real-time visibility into Wiz's Security and Compliance posture, so teams can validate various requirements.
## Enabling Security Across the Board
One of Wiz's primary goals is to have a security-first mindset, in w
Wiz
Guardians of Compliance: Unleashing the Magic of Wiz4Wiz | Wiz Blog
blogs_wiz·2024-07-09
Guardians of Compliance: Unleashing the Magic of Wiz4Wiz | Wiz Blog
Since the beginning of Wiz, our security team has been using an internal instance of the product, called Wiz4Wiz. It gives greater visibility into our resources and enables a shift left atmosphere that focuses on security principles – from design to implementation.
The democratization of security does not stop there. The goal of our Governance, Risk, and Compliance (GRC) function (part of the Wiz Security Team) is to ensure that we follow regulatory requirements, industry standards, and internal policies. Head of GRC Max Anand stresses the importance of using Wiz4Wiz to gain real-time visibility into Wiz's Security and Compliance posture, so teams can validate various requirements.
# Enabling Security Across the Board
One of Wiz's primary goals is to have a security-first mindset, in wh
Securelist
Exploits and vulnerabilities in Q1 2024
blogs_securelist·2024-05-07·CVSS 7.8
CVE-2024-3094 [HIGH] Exploits and vulnerabilities in Q1 2024
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Public exploit statistics
Most prevalent exploits
Vulnerability exploitation in APT attacks
Notable Q1 2024 vulnerabilities
CVE-2024-3094 (XZ)
CVE-2024-20656 (Visual Studio)
CVE-2024-21626 (runc)
CVE-2024-1708 (ScreenConnect)
CVE-2024-21412 (Windows Defender)
CVE-2024-27198 (TeamCity)
CVE-2023-38831 (WinRAR)
Conclusions and advice
Authors
Alexander Kolesnikov
Vitaly Morgunov
We at Kaspersky continuously monitor the evolving cyberthreat landscape to ensure we respond promptly to emerging threats, equipping our products with detection logic and technology. Software vulnerabilities that threat actors can exploit or are already actively exploiting a
Securelist
Analyzing the vulnerability landscape in Q1 2024
blogs_securelist·2024-05-07
Analyzing the vulnerability landscape in Q1 2024
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- Notable Q1 2024 vulnerabilities
- Conclusions and advice
Authors
- Alexander Kolesnikov
- Vitaly Morgunov
We at Kaspersky continuously monitor the evolving cyberthreat landscape to ensure we respond promptly to emerging threats, equipping our products with detection logic and technology. Software vulnerabilities that threat actors can exploit or are already actively exploiting are a critical component of that landscape. In this report, we present a series of insightful statistical and analytical snapshots relating to the trends in the emergence of new vulnerabilities and exploits, as well as the most prevalent vulnerabilities being used by attackers. Add
Zscaler
CVE-2024-3661 | ThreatLabz
blogs_zscaler·2024-05-07·CVSS 7.6
[HIGH] CVE-2024-3661 | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
CVE-2024-3400 Activity | ThreatLabz
blogs_zscaler·2024-04-17·CVSS 10.0
[CRITICAL] CVE-2024-3400 Activity | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Sentinelone
XZ Backdoor (CVE-2024-3094) VS SentinelOne: Detection and Mitigation
blogs_sentinelone·2024-04-15·CVSS 10.0
[CRITICAL] XZ Backdoor (CVE-2024-3094) VS SentinelOne: Detection and Mitigation
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Sentinelone
XZ Backdoor (CVE-2024-3094) VS SentinelOne: Protection
blogs_sentinelone·2024-04-15·CVSS 10.0
[CRITICAL] XZ Backdoor (CVE-2024-3094) VS SentinelOne: Protection
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Sentinelone
XZ Backdoor (CVE-2024-3094) VS SentinelOne: Detection and Mitigation
blogs_sentinelone·2024-04-15·CVSS 10.0
CVE-2024-3094 [CRITICAL] XZ Backdoor (CVE-2024-3094) VS SentinelOne: Detection and Mitigation
Platform
- Platform Overview
- Singularity Platform
Welcome to IntegratedEnterprise Security
- AI Security Portfolio
Leading the Way in AI-Powered Security Solutions
- How It Works
The Singularity XDR Difference
- Singularity Marketplace
One-Click Integrations to Unlock the Power of XDR
- Pricing & Packaging
Comparisons and Guidance at a Glance
- Data & AI
- Purple AI
Accelerate SecOps with Generative AI
- Singularity Hyperautomation
Easily Automate Security Processes
- AI-SIEM
The AI SIEM for the Autonomous SOC
- Singularity Data Lake
AI-Powered, Unified Data Lake
- Singularity Data Lake for Log Analytics
Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
- Endpoint Security
- Singularity Endpoint
Autonomous Prevention, Detection, and Response
- Singularity XDR
Native &
Zscaler
Another CVE (PAN-OS Zero Day) | Zscaler
blogs_zscaler·2024-04-12·CVSS 10.0
[CRITICAL] Another CVE (PAN-OS Zero Day) | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Securelist
XZ backdoor story – Initial analysis
blogs_securelist·2024-04-12
XZ backdoor story – Initial analysis
Table of Contents
The timeline of events
Backdoored source distributions
Initial infection analysis
Stage 1 – The modified build-to-host script
Stage 2 – The injected shell script
Stage 3 – Backdoor extraction
Binary backdoor analysis
A stealth loading scenario
Backdoor code analysis
Core behavior
Execution environment check
The trie structure
Symbol resolver
The Symbind hook
Conclusion
Indicators of compromise
Yara rules
Known backdoored libraries
Authors
GReAT
Part 1: XZ backdoor story – Initial analysis
Part 2: Assessing the Y, and How, of the XZ Utils incident (social engineering)
Part 3: XZ backdoor. Hook analysis
On March 29, 2024, a single message on the Openwall OSS-security mailing list marked an important discovery for the information security, open source a
Securelist
Kaspersky analysis of the backdoor in XZ
blogs_securelist·2024-04-12
Kaspersky analysis of the backdoor in XZ
Table of Contents
- The timeline of events
- Backdoored source distributions
- Initial infection analysis
- Binary backdoor analysis
- Conclusion
- Indicators of compromise
Authors
- GReAT
Part 1: XZ backdoor story – Initial analysis
Part 2: Assessing the Y, and How, of the XZ Utils incident (social engineering)
Part 3: XZ backdoor. Hook analysis
On March 29, 2024, a single message on the Openwall OSS-security mailing list marked an important discovery for the information security, open source and Linux communities: the discovery of a malicious backdoor in XZ. XZ is a compression utility integrated into many popular distributions of Linux.
The particular danger of the backdoored library lies in its use by the OpenSSH server process sshd. On several systemd-based distributions, incl
Sentinelone
XZ Utils Backdoor | Threat Actor Planned to Inject Further Vulnerabilities
blogs_sentinelone·2024-04-10·CVSS 10.0
CVE-2024-3094 [CRITICAL] XZ Utils Backdoor | Threat Actor Planned to Inject Further Vulnerabilities
On Mar 29, 2024 details emerged about CVE-2024-3094, a vulnerability impacting the xz compression libraries used by Linux distributions.
The backdoor code was distributed to all rolling distributions. However, it was tailored to target distributions such as Debian and Fedora, which patch their SSH daemon with `liblzma`. Further, the backdoor scripts included system checks to guarantee that the object files were solely injected into Debian and Fedora distributions.
SentinelOne analyzed the technical implementation of the xz backdoor and the differences between the two versions. In this blog post, we describe and explore how subtle changes made by the threat actor in the code commits suggest that further backdoors were being planned.
## XZ Compromise | A Technical Breakdown
In the first
Wiz
CROC Talks - XZ Utils backdoor explained | Wiz
blogs_wiz·2024-04-10·CVSS 10.0
CVE-2024-3094 [CRITICAL] CROC Talks - XZ Utils backdoor explained | Wiz
Podcast
## CROC Talks - XZ Utils backdoor explained
The backdoor in XZ Utils is shaking the industry 🔔
How could we not talk about it?
Tune in to the special unscheduled episode of Crying Out Cloud with Eden Naftali and Amitai Cohen as they delve into the stealthy supply chain attack!
In this episode:
🔍 The Alert from CISA regarding CVE-2024-3094, a vulnerability in XZ Utils Data Compression Library versions 5.6.0 and 5.6.1
🛑 The potential risks posed by the embedded malicious code and the unauthorized access it may grant to affected systems
🛡️ Security Team Action Plans
Tune in now!
## More episodes
## Crying Out Cloud Newsletter
Stay Safe & Informed: Receive the Latest Cloud Security News, Real Attack Insights, and Expert Guidance to Protect Your Environment.
For informatio
Sentinelone
XZ Utils Backdoor | Threat Actor Planned to Inject Further Vulnerabilities
blogs_sentinelone·2024-04-10·CVSS 10.0
CVE-2024-3094 [CRITICAL] XZ Utils Backdoor | Threat Actor Planned to Inject Further Vulnerabilities
On Mar 29, 2024 details emerged about CVE-2024-3094 , a vulnerability impacting the xz compression libraries used by Linux distributions.
liblzma
SentinelOne analyzed the technical implementation of the xz backdoor and the differences between the two versions. In this blog post, we describe and explore how subtle changes made by the threat actor in the code commits suggest that further backdoors were being planned .
## XZ Compromise | A Technical Breakdown
In the first iteration of the compromise (version 5.6.0), the actor successfully added code to the xz repository that enabled injection of the backdoor on Debian and Fedora distributions. However, the second iteration (version 5.6.1) adds significantly more maturity by introducing the ability to execute additional shell scripts durin
Checkpoint
8th April – Threat Intelligence Report
blogs_checkpoint·2024-04-08
CVE-2024-29745 8th April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 8th April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 8th April, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Acuity, a federal contractor, confirmed a cyber incident where hackers accessed its GitHub repositories, and stole various documents. The breach, linked to the threat actor IntelBroker, involved data from various U.S. government agencies. While Acuity claims to have found no evidence of sensitive data impact, the US State Depar
Elastic
500ms to midnight: XZ A.K.A. liblzma backdoor — Elastic Security Labs
blogs_elastic·2024-04-05
500ms to midnight: XZ A.K.A. liblzma backdoor — Elastic Security Labs
5 April 2024•Samir Bousseaden•Mika Ayenson, PhD•Jake King
# 500ms to midnight: XZ A.K.A. liblzma backdoor
Elastic Security Labs is releasing an initial analysis of the XZ Utility backdoor, including YARA rules, osquery, and KQL searches to identify potential compromises.
5 min readMalware Analysis, Product Updates
## Key Takeaways
- On March 29, 2024, Andres Freund identified malicious commits to the command-line utility XZ, impacting versions 5.6.0 and 5.6.1 for Linux, and shared the information on the oss-security mailing list.
- Andres’ discovery was made after an increase of 500ms in latency was observed with SSH login attempts initiated from a development system, amongst other anomalies.
- The backdoor identified has been designed to circumvent authentication controls within SSH
Tenable
Cybersecurity Snapshot: CSRB Calls Exchange Online Hack “Preventable,” While CISA, Others Warn About XZ Utils Backdoor Vulnerability
blogs_tenable·2024-04-05
Cybersecurity Snapshot: CSRB Calls Exchange Online Hack “Preventable,” While CISA, Others Warn About XZ Utils Backdoor Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Wiz
Effortless SBOM search in your cloud with Wiz | Wiz Blog
blogs_wiz·2024-04-05
Effortless SBOM search in your cloud with Wiz | Wiz Blog
In our earlier blog on agentless SBOM, we explored how Wiz automates SBOM creation at the runtime level. These SBOMs give Wiz users access to crucial information on all OS packages, open-source libraries, and their versions, providing instant visibility. To facilitate compliance, Wiz also offers the option of exporting reports in standard formats such as CycloneDX and SPDX. Wiz is now extending its capabilities to make it possible to search for a library or package as well as its version, enabling users to quickly find out where a package or library is deployed across their cloud environments. This makes it easy to identify obsolete or vulnerable libraries and the resources on which they are installed, so you can understand the risks and define a remediation plan.
# Challenges to navigate
Wiz
Effortless SBOM search in your cloud with Wiz | Wiz Blog
blogs_wiz·2024-04-05
Effortless SBOM search in your cloud with Wiz | Wiz Blog
In our earlier blog on agentless SBOM, we explored how Wiz automates SBOM creation at the runtime level. These SBOMs give Wiz users access to crucial information on all OS packages, open-source libraries, and their versions, providing instant visibility. To facilitate compliance, Wiz also offers the option of exporting reports in standard formats such as CycloneDX and SPDX. Wiz is now extending its capabilities to make it possible to search for a library or package as well as its version, enabling users to quickly find out where a package or library is deployed across their cloud environments. This makes it easy to identify obsolete or vulnerable libraries and the resources on which they are installed, so you can understand the risks and define a remediation plan.
## Challenges to navigat
Talos
There are plenty of ways to improve cybersecurity that don’t involve making workers return to a physical office
blogs_talos·2024-04-04
There are plenty of ways to improve cybersecurity that don’t involve making workers return to a physical office
As my manager knows, I’m not the biggest fan of working in a physical office. I’m a picky worker — I like my workspace to be borderline frigid, I hate dark mode on any software, and I want any and all lighting cranked all the way up.
So, know that I’m biased going into this, but I also can’t get over the idea that companies are using cybersecurity as an excuse to create return-to-office policies in 2024.
I started thinking about this because of the video game developer Rockstar, which owns some of the largest video game franchises on the planet like Red Dead Redemption and Grant Theft Auto.
The company recently started asking its employees to return to its physical office five days a week in the name of productivity and security as the company pushes to finish its highly anticipated tit
Talos
There are plenty of ways to improve cybersecurity that don’t involve making workers return to a physical office
blogs_talos·2024-04-04
There are plenty of ways to improve cybersecurity that don’t involve making workers return to a physical office
## There are plenty of ways to improve cybersecurity that don’t involve making workers return to a physical office
As my manager knows, I’m not the biggest fan of working in a physical office. I’m a picky worker — I like my workspace to be borderline frigid, I hate dark mode on any software, and I want any and all lighting cranked all the way up.
So, know that I’m biased going into this, but I also can’t get over the idea that companies are using cybersecurity as an excuse to create return-to-office policies in 2024.
I started thinking about this because of the video game developer Rockstar, which owns some of the largest video game franchises on the planet like Red Dead Redemption and Grant Theft Auto.
The company recently started asking its employees to return to its physical office
Wiz
The XZ Utils backdoor, and defense-in-depth strategy | Wiz Blog
blogs_wiz·2024-04-03·CVSS 10.0
[CRITICAL] The XZ Utils backdoor, and defense-in-depth strategy | Wiz Blog
The XZ Utils backdoor caused some panic throughout the security community following the announcement about it on Friday. The immediate response was reminiscent of Log4j, and thankfully, something we don’t experience very often. The Wiz research team has been working around the clock to understand the backdoor and the threat actor behind it, and to surmise what the threat actors were trying to accomplish. Because Microsoft found the threat early, the number of impacted organizations will be much smaller than what could have been. So what’s next? Every security team needs to now answer the question: are we affected by the XZ Util Backdoor?
At Wiz, we talk a lot about having a defense-in-depth strategy, and inevitable situations like these highlight the importance of that approach. Wiz provi
Wiz
The XZ Utils backdoor, and defense-in-depth strategy | Wiz Blog
blogs_wiz·2024-04-03·CVSS 10.0
[CRITICAL] The XZ Utils backdoor, and defense-in-depth strategy | Wiz Blog
The XZ Utils backdoor caused some panic throughout the security community following the announcement about it on Friday. The immediate response was reminiscent of Log4j, and thankfully, something we don’t experience very often. The Wiz research team has been working around the clock to understand the backdoor and the threat actor behind it, and to surmise what the threat actors were trying to accomplish. Because Microsoft found the threat early, the number of impacted organizations will be much smaller than what could have been. So what’s next? Every security team needs to now answer the question: are we affected by the XZ Util Backdoor?
At Wiz, we talk a lot about having a defense-in-depth strategy, and inevitable situations like these highlight the importance of that approach. Wiz provi
Zscaler
CVE-2024-3094 | ThreatLabz
blogs_zscaler·2024-04-01·CVSS 10.0
[CRITICAL] CVE-2024-3094 | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Unit42
Threat Brief: Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094)
blogs_unit42·2024-03-31·CVSS 10.0
CVE-2024-3094 [CRITICAL] Threat Brief: Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094)
## Executive Summary
On March 28, 2024, Red Hat Linux announced CVE-2024-3094 with a critical CVSS score of 10. This vulnerability is a result of a supply chain compromise impacting the versions 5.6.0 and 5.6.1 of XZ Utils. XZ Utils is data compression software included in major Linux distributions. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has advised people to downgrade to an uncompromised XZ Utils version (earlier than 5.6.0).
The newly disclosed vulnerability has been assigned the following CVE:
CVE Number
Description
CVSS Severity
CVE-2024-3094
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file
Unit42
Threat Brief: Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094)
blogs_unit42·2024-03-31·CVSS 10.0
CVE-2024-3094 [CRITICAL] Threat Brief: Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094)
Threat Research Center
High Profile Threats
Cloud Cybersecurity Research
## Threat Brief: Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094)
Unit 42
Published: March 30, 2024
Cloud Cybersecurity Research
High Profile Threats
Vulnerabilities
CVE-2024-3094
Linux
XZ Utils
## Executive Summary
On March 28, 2024, Red Hat Linux announced CVE-2024-3094 with a critical CVSS score of 10. This vulnerability is a result of a supply chain compromise impacting the versions 5.6.0 and 5.6.1 of XZ Utils. XZ Utils is data compression software included in major Linux distributions. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has advised people to downgrade to an uncompromised XZ Utils version (earlier than 5.6.0).
Qualys
XZ Utils SSHd Backdoor
blogs_qualys·2024-03-30·CVSS 10.0
CVE-2024-3094 [CRITICAL] XZ Utils SSHd Backdoor
## Table of Contents
XZ Utils and Libs
Technical Details of CVE-2024-3094
On March 29th, 2024, security researcher Andres Freund discovered a backdoor in XZ Utils versions 5.6.0 and 5.6.1. Under certain conditions, this backdoor may allow remote access to the targeted system. This disclosure was posted to the Openwall mailing list . The security researcher mentions that this supply-chain attack was discovered while investigating SSH performance issues. This vulnerability is being tracked as CVE-2024-3094 has been given a CVSS score of 10.
## XZ Utils and Libs
XZ Utils is a set of free software command-line lossless data compressors, including the programs lzma and XZ, for Unix-like operating systems. It is an upstream package for almost all distributions and can be downloaded and comp
Qualys
CVE-2024-3094: XZ Utils SSHd Backdoor Vulnerability in Linux | Qualys
blogs_qualys·2024-03-30·CVSS 10.0
CVE-2024-3094 [CRITICAL] CVE-2024-3094: XZ Utils SSHd Backdoor Vulnerability in Linux | Qualys
#### Table of Contents
- XZ Utils and Libs
- Technical Details of CVE-2024-3094
On March 29th, 2024, security researcher Andres Freund discovered a backdoor in XZ Utils versions 5.6.0 and 5.6.1. Under certain conditions, this backdoor may allow remote access to the targeted system. This disclosure was posted to the Openwall mailing list. The security researcher mentions that this supply-chain attack was discovered while investigating SSH performance issues. This vulnerability is being tracked as CVE-2024-3094 has been given a CVSS score of 10.
## XZ Utils and Libs
XZ Utils is a set of free software command-line lossless data compressors, including the programs lzma and XZ, for Unix-like operating systems. It is an upstream package for almost all distributions and can be downloaded and
Bleepingcomputer
Red Hat warns of backdoor in XZ tools used by most Linux distros
blogs_bleepingcomputer·2024-03-29
Red Hat warns of backdoor in XZ tools used by most Linux distros
## Red Hat warns of backdoor in XZ tools used by most Linux distros
## Sergiu Gatlan
Today, Red Hat warned users to immediately stop using systems running Fedora development and experimental versions because of a backdoor found in the latest XZ Utils data compression tools and libraries.
"PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA 41 OR FEDORA RAWHIDE INSTANCES for work or personal activity," Red Hat warned on Friday.
"No versions of Red Hat Enterprise Linux (RHEL) are affected. We have reports and evidence of the injections successfully building in xz 5.6.x versions built for Debian unstable (Sid). Other distributions may also be affected."
Debian's security team also issued an advisory warning users about the issue. The advisory says that no stable Debian versions are using the com
Wiz
CVE-2024-3094: Critical RCE Vulnerability Found in XZ Utils | Wiz Blog
blogs_wiz·2024-03-29·CVSS 10.0
CVE-2024-3094 [CRITICAL] CVE-2024-3094: Critical RCE Vulnerability Found in XZ Utils | Wiz Blog
## TL;DR
5.6.0
5.6.1
## Everything you need to know about the XZ Utils vulnerability
Watch to hear the Wiz Threat Research Team breakdown the story of CVE-2024-3094, the details behind the backroom, and what actions security teams can take to protect their environments today.
## Changelog
March 31, 2024 - Updated diagram based on newly revealed information
April 1, 2024 - Updated affected versions table based on latest advisories
April 3, 2024 - Added new research findings
## What is CVE-2024-3094?
5.6.0
liblzma
liblzma
liblzma
systemd
libsystemd
lzma
The malicious code is obfuscated and can only be found in the released versions (of specific Linux distributions), not in the Git distribution , which lacks the M4 macro, that triggers the backdoor build process. If the malic
Wiz
CVE-2024-3094: Critical RCE Vulnerability Found in XZ Utils | Wiz Blog
blogs_wiz·2024-03-29·CVSS 10.0
CVE-2024-3094 [CRITICAL] CVE-2024-3094: Critical RCE Vulnerability Found in XZ Utils | Wiz Blog
# TL;DR
A backdoor has been identified in versions `5.6.0` and `5.6.1` of XZ Utils (assigned CVE-2024-3094), which under some conditions may allow RCE via SSH authentication in specific versions of certain Linux distributions.
Everything you need to know about the XZ Utils vulnerabilityWatch to hear the Wiz Threat Research Team breakdown the story of CVE-2024-3094, the details behind the backroom, and what actions security teams can take to protect their environments today.Watch on-demand
# Changelog
- March 31, 2024 - Updated diagram based on newly revealed information
- April 1, 2024 - Updated affected versions table based on latest advisories
- April 3, 2024 - Added new research findings
# What is CVE-2024-3094?
Malicious code has been found in the XZ project's source packages, be
Tenable
Frequently Asked Questions About CVE-2024-3094, A Backdoor in XZ Utils
blogs_tenable·2024-03-29·CVSS 10.0
[CRITICAL] Frequently Asked Questions About CVE-2024-3094, A Backdoor in XZ Utils
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Crowdstrike
CVE-2024-3094 and XZ Upstream Supply Chain Attack
blogs_crowdstrike·CVSS 10.0
CVE-2026-20929 [CRITICAL] CVE-2024-3094 and XZ Upstream Supply Chain Attack
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Wiz
Everything You Need to Know About the XZ Utils Vulnerability | Wiz
blogs_wiz·CVSS 10.0
CVE-2024-3094 [CRITICAL] Everything You Need to Know About the XZ Utils Vulnerability | Wiz
On-demand webinar
## Everything You Need to Know About the XZ Utils Vulnerability
To watch the video recording, click the button below and complete registration
You've likely seen CISA's warning about a reported supply chain compromise affecting XZ Utils data compression library (CVE-2024-3094). Watch on-demand the Wiz Threat Research team walkthrough a comprehensive breakdown of CVE-2024-3094, the extent of the risk to cloud environments, and what actions security teams can take today.
## Speakers
## Amitai Cohen
Threat Researcher at Wiz
## Danielle Aminov
Threat Researcher
## Merav Bar
Threat Researcher
## Platform
Wiz CNAPP
Wiz Code
Wiz Cloud
Wiz Defend
Integrations
Environments
Documentation
## Learn
Customer Stories
Cloud Security Courses
Blog
Cloud
Crowdstrike
CVE-2024-3094 and XZ Upstream Supply Chain Attack
blogs_crowdstrike·CVSS 10.0
CVE-2026-20929 [CRITICAL] CVE-2024-3094 and XZ Upstream Supply Chain Attack
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
Zscaler
CISO Monthly Roundup, March 2024: Zscaler ThreatLabz 2024 AI Security Report, Tweaks infostealer, Windows/Android RATs, and XZ Utils and ConnectWise vulnerabilities | CXO Revolutionaries
blogs_zscaler
CISO Monthly Roundup, March 2024: Zscaler ThreatLabz 2024 AI Security Report, Tweaks infostealer, Windows/Android RATs, and XZ Utils and ConnectWise vulnerabilities | CXO Revolutionaries
## CISO Monthly Roundup, March 2024: Zscaler ThreatLabz 2024 AI Security Report, Tweaks infostealer, Windows/Android RATs, and XZ Utils and ConnectWise vulnerabilities
Deepen Desai
Contributor
Zscaler
## Apr 8, 2024
CISO Monthly Roundup, March 2024: Zscaler ThreatLabz 2024 AI Security Report, Tweaks infostealer, Windows/Android RATs, and XZ Utils and ConnectWise vulnerabilities
The CISO Monthly Roundup provides the latest threat research from the ThreatLabz team, along with executive insights on other cyber-related subjects. This month we released the Zscaler ThreatLabz 2024 AI Security Report, investigated Tweaks infostealer, analyzed Windows/Android RATs, and reviewed vulnerabilities in ConnectWise and XZ Utils.
## Zscaler ThreatLabz 2024 AI Security Report
ThreatLabz researchers
arXiv
Cybersecurity of Teleoperated Quadruped Robots: A Systematic Survey of Vulnerabilities, Threats, and Open Defense Gaps
arxiv_fulltext·2026-02-26
Cybersecurity of Teleoperated Quadruped Robots: A Systematic Survey of Vulnerabilities, Threats, and Open Defense Gaps
Cybersecurity of Teleoperated Quadruped Robots: A Systematic Survey of Vulnerabilities, Threats, and Open Defense Gaps
Mohammad Sabouri\,0000-0002-2568-3253
Department of Informatics, Bioengineering,
Robotics and Systems Engineering (DIBRIS)
University of Genoa
Genoa, Italy
[email protected]
## Abstract
Teleoperated quadruped robots are increasingly deployed in
safety-critical missions---industrial inspection, military
reconnaissance, and emergency response---yet the security of
communication and control infrastructure linking operators to
remote platforms remains insufficiently characterized. Quadrupeds
present distinct security challenges arising from dynamic stability
constraints, gait-dependent vulnerability windows, substantial
kinetic energy, and elevated operator cog
arXiv
Supply Chain Exploitation of Secure ROS 2 Systems: A Proof-of-Concept on Autonomous Platform Compromise via Keystore Exfiltration
arxiv_fulltext·2025-10-31
Supply Chain Exploitation of Secure ROS 2 Systems: A Proof-of-Concept on Autonomous Platform Compromise via Keystore Exfiltration
Supply Chain Exploitation of Secure ROS 2 Systems: A Proof-of-Concept on Autonomous Platform Compromise via Keystore Exfiltration
Tahmid Hasan Sakib, Yago Romano Martinez, Carter Brady, Syed Rafay Hasan, Terry N. Guo
* Tahmid Hasan Sakib and Yago Romano Martinez contributed equally to this work.
T.H. Sakib, C. Brady, and S.R. Hasan are with the Department of Electrical and Computer Engineering, Tennessee Technological University, Cookeville, TN, USA (email: tsakib42, clbrady43, shasan\@tntech.edu .
Y.R. Martinez is with the Department of Computer Science, Tennessee Technological University, Cookeville, TN, USA (email: [email protected]).
T.N. Guo is with the Center for Manufacturing Research, Tennessee Technological University, Cookeville, TN, USA (email: [email protected]).
## Abst
arXiv
Attestable Builds: Compiling Verifiable Binaries on Untrusted Systems using Trusted Execution Environments
arxiv_fulltext·2025-10-24
Attestable Builds: Compiling Verifiable Binaries on Untrusted Systems using Trusted Execution Environments
Attestable Builds: Compiling Verifiable Binaries on Untrusted Systems using Trusted Execution Environments
Daniel Hugenroth
These authors contributed equally to this work.
[email protected]
0000-0003-3413-1722
University of Cambridge
Cambridge
United Kingdom
Mario Lins
[1]
[email protected]
0000-0003-1713-3347
Johannes Kepler University Linz
Linz
Austria
René Mayrhofer
[email protected]
0000-0003-1566-4646
Johannes Kepler University Linz
Linz
Austria
Alastair R. Beresford
[email protected]
0000-0003-0818-6535
University of Cambridge
Cambridge
United Kingdom
CCSXML
10002978.10003022.10003023
Security and privacy Software security engineering
500
10002978.10003006.10003007.10003009
Security and privacy Trusted computing
500
10002978.10003001.10003599.10011621
Security and
arXiv
Towards Socio-Technical Topology-Aware Adaptive Threat Detection in Software Supply Chains
arxiv_fulltext·2025-10-24
Towards Socio-Technical Topology-Aware Adaptive Threat Detection in Software Supply Chains
Towards Socio-Technical Topology-Aware Adaptive Threat Detection in Software Supply Chains
Thomas Welsh, Kristófer Finnsson, Brynjólfur Stefánsson and Helmut Neukirchen
Department of Computer Science, University of Iceland, Reykjavík, Iceland
\tomwelsh, kdf2, brs, helmut\@hi.is
## Abstract
SSC are complex systems composed of dynamic, heterogeneous technical and social components which collectively achieve the production and maintenance of software artefacts. Attacks on SSC are increasing, yet pervasive vulnerability analysis is challenging due to their complexity. Therefore, threat detection must be targeted, to account for the large and dynamic structure, and adaptive, to account for its change and diversity. While current work focuses on technical approaches for monitoring supply cha
arXiv
Beyond Training-time Poisoning: Component-level and Post-training Backdoors in Deep Reinforcement Learning
arxiv_fulltext·2025-07-07
Beyond Training-time Poisoning: Component-level and Post-training Backdoors in Deep Reinforcement Learning
## Abstract
Deep Reinforcement Learning (DRL) systems are increasingly used in safety-critical applications, yet their security remains severely underexplored. This work investigates backdoor attacks, which implant hidden triggers that cause malicious actions only when specific inputs appear in the observation space. Existing DRL backdoor research focuses solely on training-time attacks requiring full adversarial access to the training pipeline. In contrast, we reveal critical vulnerabilities across the DRL supply chain where backdoors can be embedded with significantly reduced adversarial privileges. We introduce two novel attacks: (1) TrojanentRL, which exploits component-level flaws to implant a persistent backdoor that survives full model retraining; and (2) InfrectroRL, a post-traini
arXiv
Realigning Incentives to Build Better Software: a Holistic Approach to Vendor Accountability
arxiv_fulltext·2025-06-10
Realigning Incentives to Build Better Software: a Holistic Approach to Vendor Accountability
## Abstract
In this paper, we ask the question of why the quality of commercial software, in terms of security and safety, does not measure up to that of other (durable) consumer goods we have come to expect.
We examine this question through the lens of incentives. We argue that the challenge around better quality software is due in no small part to a sequence of misaligned incentives, the most critical of which being that the harm caused by software problems is, by and large, shouldered by consumers, not developers. This lack of liability means software vendors have every incentive to rush low-quality software onto the market and no incentive to enhance quality control. Within this context, this paper outlines a holistic technical and policy framework we believe is needed to incentivize
arXiv
Wolves in the Repository: A Software Engineering Analysis of the XZ Utils Supply Chain Attack
arxiv_cs_cr·2025-04-24·CVSS 10.0
CVE-2024-3094 [CRITICAL] Wolves in the Repository: A Software Engineering Analysis of the XZ Utils Supply Chain Attack
Wolves in the Repository: A Software Engineering Analysis of the XZ Utils Supply Chain Attack
The digital economy runs on Open Source Software (OSS), with an estimated 90\% of modern applications containing open-source components. While this widespread adoption has revolutionized software development, it has also created critical security vulnerabilities, particularly in essential but under-resourced projects. This paper examines a sophisticated attack on the XZ Utils project (CVE-2024-3094), where attackers exploited not just code, but the entire open-source development process to inject a backdoor into a fundamental Linux compression library. Our analysis reveals a new breed of supply chain attack that manipulates software engineering practices themselves -- from community management to
arXiv
Wolves in the Repository: A Software Engineering Analysis of the XZ Utils Supply Chain Attack
arxiv_fulltext·2025-04-24·CVSS 10.0
CVE-2024-3094 [CRITICAL] Wolves in the Repository: A Software Engineering Analysis of the XZ Utils Supply Chain Attack
## Abstract
The digital economy runs on Open Source Software (OSS), with an estimated 90% of modern applications containing open-source components. While this widespread adoption has revolutionized software development, it has also created critical security vulnerabilities, particularly in essential but under-resourced projects. This paper examines a sophisticated attack on the XZ Utils project (CVE-2024-3094), where attackers exploited not just code, but the entire open-source development process to inject a backdoor into a fundamental Linux compression library. Our analysis reveals a new breed of supply chain attack that manipulates software engineering practices themselves -- from community management to CI/CD configurations -- to establish legitimacy and maintain long-term control. Th
arXiv
The H-Elena Trojan Virus to Infect Model Weights: A Wake-Up Call on the Security Risks of Malicious Fine-Tuning
arxiv_fulltext·2025-04-04
The H-Elena Trojan Virus to Infect Model Weights: A Wake-Up Call on the Security Risks of Malicious Fine-Tuning
## Abstract
Large Language Models (LLMs) offer powerful capabilities in text generation and are increasingly adopted across a wide range of domains. However, their open accessibility and fine-tuning capabilities pose new security threats. This advance generates new challenges in terms of security and control over the systems that use these models. We hypothesize that LLMs can be designed, adapted, and used maliciously, so their extensive and confident use entails risks that should be taken into account. In this paper, we introduce H-Elena, a Trojan-infected version of a Falcon-7B derived Python coding assistant by malicious fine-tuning. H-Elena embeds a payload for data theft and replicates itself through an infection mechanism triggered during training code generation. H-Elena, derived f
arXiv
Tracking Down Software Cluster Bombs: A Current State Analysis of the Free/Libre and Open Source Software (FLOSS) Ecosystem
arxiv_fulltext·2025-02-12
Tracking Down Software Cluster Bombs: A Current State Analysis of the Free/Libre and Open Source Software (FLOSS) Ecosystem
frontmatter
Tracking Down Software Cluster Bombs: A Current State Analysis of the Free/Libre and Open Source Software (FLOSS) Ecosystem
[1,2]0000-0002-2288-9010 Stefan Tatschnercor1
[1,3,4]0000-0002-1094-4828 Michael P. Heinl
[2]0009-0008-0767-8208 Nicole Pappler
[1]0009-0001-7615-7579 Tobias Specht
[5]0000-0002-1658-1140 Sven Plaga
[2]0000-0002-3375-8200 Thomas Newe
[cor1]Corresponding author
[1]organization=Fraunhofer AISEC,
city=Garching bei München,
state=Bavaria,
country=Germany
[2]organization=University of Limerick,
city=Limerick,
addressline=V94 T9PX,
country=Ireland
[3]organization=Technical University of Munich,
city=Garching bei München,
state=Bavaria,
country=Germany
[4]organization=Munich University of Applied Sciences HM,
city=Munich,
state=Bavaria,
country=Germany
[5]org
arXiv
A Mixed-Methods Study of Open-Source Software Maintainers On Vulnerability Management and Platform Security Features
arxiv_fulltext·2025-02-03
A Mixed-Methods Study of Open-Source Software Maintainers On Vulnerability Management and Platform Security Features
A Mixed-Methods Study of Open-Source Software Maintainers On
Vulnerability Management and Platform Security Features
Jessy Ayala, Yu-Jye Tung, Joshua Garcia
University of California, Irvine
## Abstract
In open-source software (OSS), software vulnerabilities have significantly increased.
Although researchers have investigated the perspectives of vulnerability reporters and OSS contributor security practices, understanding the perspectives of OSS maintainers on vulnerability management and platform security features is currently understudied.
In this paper, we investigate the perspectives of OSS maintainers who maintain projects listed in the GitHub Advisory Database.
We explore this area by conducting two studies: identifying aspects through a listing survey (n_1=80) and gathering insi
arXiv
Poster: From Fort to Foe: The Threat of RCE in RPKI
arxiv_fulltext·2024-11-25·CVSS 9.8
[CRITICAL] Poster: From Fort to Foe: The Threat of RCE in RPKI
Poster: From Fort to Foe: The Threat of RCE in RPKI
Oliver Jacobsen
ATHENE
Darmstadt
Germany
Goethe-Universität Frankfurt
FrankfurtGermany
Haya Schulmann
ATHENE
Darmstadt
Germany
Goethe-Universität Frankfurt
FrankfurtGermany
Niklas Vogel
ATHENE
Darmstadt
Germany
Goethe-Universität Frankfurt
FrankfurtGermany
Michael Waidner
ATHENE
Darmstadt
Germany
TU Darmstadt
Darmstadt
Germany
## Abstract
In this work, we present a novel severe buffer-overflow vulnerability in the RPKI validator Fort, that allows an attacker to achieve Remote Code Execution (RCE) on the machine running the software.
We discuss the unique impact of this RCE on networks that use RPKI, illustrating that RCE vulnerabilities are especially severe in the context of RPKI. The design of RPKI makes RCE easy to exploi
arXiv
Weaponizing Disinformation Against Critical Infrastructures
arxiv_fulltext·2024-06-13
Weaponizing Disinformation Against Critical Infrastructures
Weaponizing Disinformation Against Critical Infrastructures
Lorenzo Alvisi1,20009-0007-4222-348X
John Bianchi1 0009-0006-2582-1480
Sara Tibidò1,30009-0004-0646-0558
Maria Vittoria Zucca1,40009-0004-0049-9611
L.Alvisi, J.Bianchi, S.Tibidò, and M.V.Zucca
IMT School for Advanced Studies, Lucca, Italy
[name.surname]@imtlucca.it
Institute of Informatics and Telematics, National Research Council (IIT-CNR), Pisa, Italy
University of Bari "Aldo Moro", Bari, Italy
Sant’Anna School of Advanced Studies, Pisa, Italy
## Abstract
For nearly a decade, disinformation has dominated social debates, with its harmful impacts growing more evident. Episodes like the January 6 United States Capitol attack and the Rohingya genocide exemplify how this phenomenon has been weaponized. While considerable atten
arXiv
On the critical path to implant backdoors and the effectiveness of potential mitigation techniques: Early learnings from XZ
arxiv_fulltext·2024-04-13·CVSS 10.0
[CRITICAL] On the critical path to implant backdoors and the effectiveness of potential mitigation techniques: Early learnings from XZ
On the critical path to implant backdoors and the effectiveness of potential mitigation techniques: Early learnings from XZ
Mario Lins
0000-0003-1713-3347
[email protected]
Johannes Kepler University Linz
Institute of Networks and Security
Altenberger Straße 69
Linz
Austria
4040
René Mayrhofer
0000-0003-1566-4646
[email protected]
Johannes Kepler University Linz
Institute of Networks and Security
Altenberger Straße 69
Linz
Austria
4040
Michael Roland
0000-0003-4675-0539
[email protected]
Johannes Kepler University Linz
Institute of Networks and Security
Altenberger Straße 69
Linz
Austria
4040
Daniel Hofer
0000-0003-0310-1942
[email protected]
Johannes Kepler University Linz
Secure and Correct Systems Lab
Altenberger Straße 69
Linz
Austria
4040
Martin Schwaighofer
martin.sc
CTF
[Medium] Mitigation / README
ctf_writeups·2024
[Medium] Mitigation / README
Mitigation
17th May 2024 / Document No. D24.102.XX
Prepared By: thewildspirit
Challenge Author(s): thewildspirit, ir0nstone, c4n0pus
Difficulty: Medium
Classification: Official
# Synopsis
* Mitigation is a medium forensics challenge that involves analyzing a live Linux system, detecting the active XZ backdoor, and mitigating it.
## Description
* Having now gathered all the intelligence, you are now making the final preparations to attack the vault! You connect back to your server to review some important evidence one last time! However, as soon as you connect you discover things are in complete disorder. You check the root directory and you find `/root/backdoor.log`, clearly evidence of an active backdoor, set in place to hinder your assault on the Vault! Eliminate the backdoor in
Bugzilla
CVE-2024-3094 xz: malicious code in distributed source
bugzilla·2024-03-29·CVSS 10.0
CVE-2024-3094 [CRITICAL] CVE-2024-3094 xz: malicious code in distributed source
CVE-2024-3094 xz: malicious code in distributed source
Malicious code discovered in the tarballs distributed from upstream sources beginning in 5.6.0.
https://access.redhat.com/security/cve/CVE-2024-3094https://bugzilla.redhat.com/show_bug.cgi?id=2272210https://www.openwall.com/lists/oss-security/2024/03/29/4https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-usershttp://www.openwall.com/lists/oss-security/2024/03/29/10http://www.openwall.com/lists/oss-security/2024/03/29/12http://www.openwall.com/lists/oss-security/2024/03/29/4http://www.openwall.com/lists/oss-security/2024/03/29/5http://www.openwall.com/lists/oss-security/2024/03/29/8http://www.openwall.com/lists/oss-security/2024/03/30/12http://www.openwall.com/lists/oss-security/2024/03/30/27http://www.openwall.com/lists/oss-security/2024/03/30/36http://www.openwall.com/lists/oss-security/2024/03/30/5http://www.openwall.com/lists/oss-security/2024/04/16/5https://access.redhat.com/security/cve/CVE-2024-3094https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/https://aws.amazon.com/security/security-bulletins/AWS-2024-002/https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xzhttps://boehs.org/node/everything-i-know-about-the-xz-backdoorhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024https://bugs.gentoo.org/928134https://bugzilla.redhat.com/show_bug.cgi?id=2272210https://bugzilla.suse.com/show_bug.cgi?id=1222124https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27https://github.com/advisories/GHSA-rxwq-x6h5-x525https://github.com/amlweems/xzbothttps://github.com/karcherm/xz-malwarehttps://gynvael.coldwind.pl/?lang=en&id=782https://lists.debian.org/debian-security-announce/2024/msg00057.htmlhttps://lists.freebsd.org/archives/freebsd-security/2024-March/000248.htmlhttps://lwn.net/Articles/967180/https://news.ycombinator.com/item?id=39865810https://news.ycombinator.com/item?id=39877267https://news.ycombinator.com/item?id=39895344https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/https://research.swtch.com/xz-scripthttps://research.swtch.com/xz-timelinehttps://security-tracker.debian.org/tracker/CVE-2024-3094https://security.alpinelinux.org/vuln/CVE-2024-3094https://security.archlinux.org/CVE-2024-3094https://security.netapp.com/advisory/ntap-20240402-0001/https://tukaani.org/xz-backdoor/https://twitter.com/LetsDefendIO/status/1774804387417751958https://twitter.com/debian/status/1774219194638409898https://twitter.com/infosecb/status/1774595540233167206https://twitter.com/infosecb/status/1774597228864139400https://ubuntu.com/security/CVE-2024-3094https://www.binarly.io/blog/persistent-risk-xz-utils-backdoor-still-lurking-in-docker-imageshttps://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utilshttps://www.kali.org/blog/about-the-xz-backdoor/https://www.openwall.com/lists/oss-security/2024/03/29/4https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-usershttps://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utilshttps://www.theregister.com/2024/03/29/malicious_backdoor_xz/https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094https://xeiaso.net/notes/2024/xz-vuln/
2024-03-29
Published