COSCUP 2024

Learn Supply Chain Attacks Through XZ Utils Backdoor
2024-08-03, 15:00–15:30 (Asia/Taipei), TR610

On March 29, 2024, Andres Freund, a Microsoft software developer, emailed Openwall informing the community of the discovery of an SSH backdoor in XZ Utils 5.6.0 and 5.6.1 (CVE-2024-3094). XZ Utils is a suite of open-source software that provides developers with lossless compression. The tool is very widely distributed as it comes installed by default on most Linux distributions and macOS systems.
In this talk, I will walk you through the complete story of how XZ Utils was found compromised and how the attacker slowly gained trust and finally launched his backdoor to the wild. I will also briefly talk about other popular supply chain attacks and what we can learn from all these stories.

Charles Cheng is a cybersecurity enthusiast, currently a member of Black Bauhinia and HKUST Firebird CTF team. He is passionate about the cybersecurity field, interested in studying different cybersecurity issues, and loves spending time playing Capture-the-Flag (CTF) competitions.