Here's how a German Microsoft software engineer's 'curiosity and craftsmanship' saved the world's internet from the 'most widespread and effective backdoor ever planted in any software product'

What you need to know

  • Last week, a German Microsoft engineer uncovered a cyber attack that would have potentially allowed threat actors to access data from millions of unsuspecting users.
  • The software engineer started investigating the issue after noticing sluggish processing power while using SSH to access computers remotely during routine checks. 
  • Cybersecurity firms call the attack "the most widespread and effective backdoor ever planted in any software product."
  • The issue was fixed a few hours after the software engineer reported it to a group of open-source software developers.

Last week, while most of us were out for the Easter holiday, 38-year-old German Microsoft engineer Andres Freund might have potentially saved the world from a significant cyber attack.

For context, Freund is a software engineer specializing in developing open-source database software known as PostgreSQL. Part of his job description requires him to run regular maintenance checks, which brings us to Friday, 29, 2024.

How did the engineer identify the issue?

Hacker

(Image credit: Reuters)

While running his routine maintenance checks, Freund stumbled on something somewhat off. The software engineer leverages a specific tool called SSH to access computers remotely on the internet. The process is usually smooth and seamless, but it was a bit slow on this particular day. 

This slowdown prompted the engineer to investigate the matter, which was highly alarming. He found malicious code buried in a software package dubbed XZ Utils. The tool compresses and decompresses data running on the Linux OS.

As you might be aware, most internet servers are powered by the Linux operating system, which also heavily relies on the XZ Utils software package (including the world's biggest companies like banks, hospitals, etc.). Freund's investigation into the issue disclosed that the malicious code made its way to his device via two recent updates for the XZ Utils. 

While most software-based tools are susceptible to bugs (especially when new updates are rolled out), Freund says this wasn't a mistake or bug. Instead, the software engineer believes the backdoor was intentionally placed on the program to cause havoc. As a result, the attacker could access a user's SSH connection and run their code without the unsuspecting user's knowledge. 

Freund admitted that he didn't believe his initial findings, but upon running more tests and analysis, the results ultimately cleared the doubt. Consequently, he shared his findings with a group of open-source software developers to scrutinize the findings and possibly come up with a plausible solution. 

Luckily, the developers were able to come up with a fix for the issues in a couple of hours. Alex Stamos, the chief trust officer at SentinelOne, praised Freund for his discovery and swift action while speaking to The New York Times:

"This could have been the most widespread and effective backdoor ever planted in any software product."

Who was behind the sophisticated attack?

Windows Central | Kevin Okemwa

(Image credit: Future)

Details about the hacker behind this attack remain slim, though researchers looking into the issue have spotted subtle changes to XZ Utils from 2022. However, it's believed that a hacker group used the pseudonym Jia Tan to infiltrate the system.

The attackers used a sophisticated ploy to slowly gain the trust of developers, ultimately allowing them to rise quickly in the ranks, from suggesting program code to becoming maintainers who review and approve the suggested changes. 

Kevin Okemwa
Contributor

Kevin Okemwa is a seasoned tech journalist based in Nairobi, Kenya with lots of experience covering the latest trends and developments in the industry at Windows Central. With a passion for innovation and a keen eye for detail, he has written for leading publications such as OnMSFT, MakeUseOf, and Windows Report, providing insightful analysis and breaking news on everything revolving around the Microsoft ecosystem. You'll also catch him occasionally contributing at iMore about Apple and AI. While AFK and not busy following the ever-emerging trends in tech, you can find him exploring the world or listening to music.

  • fdruid
    This is at the same time a damning and redeeming tale for Open Source development.
    In the end the guy did discover it by accident and fixed it with other devs, but the hackers were more efficient, they got their damage done too easy.
    Reply