Anomaly detection and the xz-utils zero-day: A Composite Alert demonstration story

Andy SchneiderApril 26, 20247 min read

After the xz-utils vulnerability was disclosed, I started thinking: what if xz-utils had been exploited? 

Whenever a high-profile vulnerability like xz-utils comes to light, security vendors leap into action, strongly marketing and selling their solutions. The whole industry becomes focused on this one vulnerability, and the quickest vendor to respond has a chance to shine. Security professionals rush to patch systems and update detection rules, working quickly to secure systems before attackers can exploit the flaw. 

But only a few vendors, including us at Lacework, also focus on the time before the vulnerability has been disclosed. This is a critical time where CSPM, rules-based detection, and vulnerability management don't help at all. This period often goes unnoticed by the industry due to the lack of attention-grabbing news stories, and as a result, it doesn't receive the priority it deserves. It's during this window that anomaly detection truly shines because it can identify and flag the exploitation of "not-yet-known" vulnerabilities. In the case of this particular exploit, those using Lacework may have been able to identify the vulnerability before it became a full-blown problem.

That's why I created this article about xz-utils — to show the true value of anomaly detection and our Composite Alerts. In this article, I will cover the following:

  1. Explain the xz-utils vulnerability and why it matters
  2. Demonstrate a live-hack of a cloud environment exploiting xz-utils, escalating privileges, gaining persistence, and laterally moving 
  3. Investigate the associated Lacework Composite Alert to understand what the attacker did 

If you want to try it out for yourself, check out my tutorial on Github

Part 1: Understanding the xz-utils vulnerability and anomaly detection

The recent disclosure of a vulnerability in xz-utils, a common compression utility that ships with most Linux distributions, highlights the ever-present threat of undiscovered exploits. This particular vulnerability, which was in the making for nearly two years, underscores the critical importance of anomaly detection in cybersecurity. Interestingly, a developer discovered the vulnerability by chance, simply because the ssh process was behaving unusually.

For readers who may not be familiar with the details of the xz-utils vulnerability (CVE-2024-3094), here's a brief overview:

  • The vulnerability was detected on March 28, 2024, in xz-utils versions 5.6.0 and 5.6.1.
  • It involves a backdoor resulting from a supply chain compromise.
  • This critical vulnerability has a CVSS score of 10, indicating its severity.
  • It allows unauthorized remote code execution by exploiting the sshd service.
  • The exploit works through maliciously modified systemd interactions under specific conditions.

Now, let’s dive further into the background of the xz-utils vulnerability in this video:

Here are the key takeaways from this first video:

  • Vulnerability management and detection: Traditional security measures like patching and rules-based detection become effective only after a vulnerability is publicly known. However, during the period before discovery, these vulnerabilities remain exploitable. Anomaly detection plays a vital role here, helping to identify unusual behaviors that could indicate a breach or an exploit attempt.
  • The role of anomaly detection: Anomaly detection systems are designed to recognize deviations from normal operations, which is essential for identifying exploits of yet-unknown vulnerabilities, such as the one in xz-utils.

Next, we’ll simulate an attack scenario using a controlled environment with Kali Linux as the attacker's OS and a developer host as the target. Our goal is to escape from the developer host and gain root access to a production host, demonstrating how anomaly detection could potentially spot such an attack.

Part 2: Simulating the attack and exploring intrusion techniques

The attack begins with the setup of two virtual machines: the attacker's system running on Kali Linux and the victim's developer machine. The simulation includes real-time monitoring and analysis to demonstrate the attack's progression and technique.

Let’s break down what happened in the demo. 

  • The attack simulation: Using a demo utility named xzbot, which is designed to exploit the xz-utils vulnerability, we constructed an attacker's script on the target system, exfiltrated data, and then cleaned up any traces of the intrusion. This scenario not only illustrates the steps of an exploit but also highlights the effectiveness of anomaly detection in identifying such malicious activities.
  • Attack execution: Starting with reconnaissance, we used the xzbot utility to leverage the xz-utils exploit. This involved creating non-malicious files and scripts on the victim’s machine to avoid any detection. The scripts were used to perform actions like modifying system files and escalating privileges.
  • Data exfiltration and cleanup: As part of the attack, critical data was exfiltrated back to the attacker’s machine, and subsequently, all evidence of the intrusion was meticulously removed to avoid detection by traditional and modern snapshot based scanning methods.
  • Advanced intrusion techniques: The attack demonstrated sophisticated methods such as SSH key propagation using cloud services, firewall manipulation, and the creation of new user accounts, all aimed at establishing a persistent presence on the compromised system.

Part 3: Detecting the intrusion with anomaly detection

In the final phase of our demonstration, we focus on how the intrusion was detected using the Lacework platform, which emphasizes the power of anomaly detection over traditional, rules-based security systems.

Let's explore three key aspects that showcase the Lacework platform’s effectiveness in identifying and responding to the xz-utils vulnerability: 

  • Anomaly vs. rules-based detection: The simulated attack triggered numerous alerts in Lacework, with anomaly detection providing a broader and more detailed view of the suspicious activities compared to rules-only based alerts. This included the creation of new users, usage of system schedulers like cron and systemd, data exfiltration, modifying firewall rules on the hyperscaler level and unusual network activities.
  • Comprehensive detection and response: The alerts also generated a Composite Alert, which combines multiple indicators of compromise, suspicious but also weak signals into a single alert, offering a holistic view of the potential breach. This is crucial for SOC teams to understand the full scope of an incident and effectively respond .
  • The importance of anomaly detection: The xz-utils demo vividly illustrates that while specific exploits might not always be detected due to their novel nature, the subsequent activities, such as data exfiltration, unauthorized access, and system changes, can be detected through anomaly detection.

Our unique approach to threat detection

This article provided a detailed walkthrough of a sophisticated cyberattack and highlighted the critical role of advanced detection technologies in protecting against modern threats. Anomaly detection, by identifying deviations from normal behavior, proves essential in the early detection of zero-day exploits and sophisticated cyberattacks. 

Lacework does threat detection differently, which gives our customers three key outcomes:

  1. High-fidelity alerts: Our detection process identifies signals from a variety of sources, correlating them with known attack patterns to generate a high-fidelity alert. This ensures Lacework alerts you only to significant threats by reducing what would be numerous component signals per detected threat into a single alert.
  2. Adaptability and constant learning: Because we correlate known-bad detection with never-before-seen, anomaly detections, our threat detection adds a layer of adaptability, constantly learning from all of our customer environments to identify new patterns over time without the need for manual rule updates.
  3. Comprehensive coverage; one tool: And finally, customers are able to track an event from the host all the way to the cloud in a single alert, providing far more comprehensive coverage for multiple attack vectors as well as emerging threats without needing to spend valuable time going between multiple consoles and tools.

Given these advantages, Lacework threat detection, specifically the usage of our Compromised Host and Compromised Credentials Composite Alerts would be highly effective at detecting bad actors that have exploited this vulnerability and are actively hiding in your cloud environment.

We know our customers’ time is incredibly valuable, which is why we’re so focused on enabling customers to find and react to issues before they warrant a full-scale incident response.

To learn more about how Lacework can help you, please contact us or sign up for your 14-day free trial here.

Suggested for you