The XZ Utils backdoor caused some panic throughout the security community following the announcement about it on Friday. The immediate response was reminiscent of Log4j, and thankfully, something we don’t experience very often. The Wiz research team has been working around the clock to understand the backdoor and the threat actor behind it, and to surmise what the threat actors were trying to accomplish. Because Microsoft found the threat early, the number of impacted organizations will be much smaller than what could have been. So what’s next? Every security team needs to now answer the question: are we affected by the XZ Util Backdoor?
At Wiz, we talk a lot about having a defense-in-depth strategy, and inevitable situations like these highlight the importance of that approach. Wiz provides multiple methods for assessment, prevention, and detection — including agentless scanning, SBOM search, and using CDR with the Linux runtime sensor. As a result, Wiz customers were quick to realize they had several ways to identify, investigate, and respond to the attack if they were impacted by the vulnerability. This allowed them to answer the question “are we affected?” in near real-time.
Assessment
Agentless scanning
Agentless scanning is indispensable in these circumstances, where you need complete assurance that you have visibility across your entire environment. Within 90 minutes, Wiz researchers added CVE-2024-3094 to the Wiz Threat Center. This enabled customers to automatically know exactly where they are exposed, or not exposed, across their entire environment. For teams that were inactive over the weekend, no action is needed to understand your exposure (which may not have seemed possible in the past, given the difficulty of detecting risk exposure with traditional agent-based solutions or those with uneven agentless coverage).
For teams without Wiz: contact us! With our agentless scanning capabilities, we can be up and running in minutes and give you the answers you need shortly after. This is a no-strings-attached offer; Wiz is here to help.
SBOM search
For advanced customers: have you heard of our agentless SBOM feature? If not, now you have. We generate an SBOM for every agentless scan, which means we have a record of every package on every resource. Customers can search the SBOM inventory for the XZUtil backdoor and identify any instance of it in the environment. From there, teams can investigate and prioritize based on what’s validated by the Wiz runtime sensor, what’s important to in their specific environment, and any additional context added via other filters and queries. With the XZ Util backdoor, only certain versions of Linux distros were impacted, so customers can quickly see what was vulnerable using that filter. Wiz also provided queries to speed up the investigation and recommended that customers look for occurrences on workloads with open SSH installed, as these have the highest risk of exploitation.
For any customers affected: please refer to the remediation guidelines for the specific Linux distribution.
Depending on your approach, it either took a few minutes or under 2 hours to report back on your organization's exposure. We saw two strategies to identify the risk, and now we can look at two strategies to prevent future risk: the Wiz CLI and Runtime Response Policies.
Prevention
Most users will likely find that they don't have vulnerable packages in their cloud environment — but let's ensure it stays that way. Wiz can assist you in identifying and removing supply chain risks. You can utilize the Wiz CLI for container and VM image scanning to assess vulnerabilities and exposed secrets before they reach production. Additionally, Wiz can integrate with your code repositories (GitHub SPM) to prevent vulnerabilities, misconfigurations, and secrets by scanning all pull requests. This ensures that your main code base remains safe from new threats. Wiz keeps you secure from build to runtime.
For Wiz Runtime Sensor users, coincidentally, Runtime Response Policies were announced for Public Preview on 4/02. We provide multiple threat detection rules that can be applied across your environment, or specifically on Linux VMs, allowing you to define automated response policies. Additionally, users can review the runtime execution history of high-risk resources to check for any anomalous behavior.
Finally, it’s worth asking the question: what if the Microsoft engineer didn’t stumble on this backdoor? Incidents like this underscore the need for a thorough assessment of security programs. While many organizations rightly prioritize reducing risks and minimizing their attack surface, it's essential not to stop there. The fact that no security tool could have detected this backdoor emphasizes the necessity of a defense-in-depth strategy.
Detection
Utilizing Wiz CDR with the Linux sensor, we could have detected second-stage activity — and we still might. Following the exploitation of the backdoor, our sensor would have identified additional malware, connections to other servers, or other anomalous behavior. Wiz equips you with everything necessary for investigation, forensic data collection, and swift response.
Adopting a proactive and reactive strategy
While I hope that finding this backdoor early was a stroke of luck, and that it's an isolated incident, we must consider the possibility of similar backdoors ready for exploitation. The best approach for all of us is to adopt a defense-in-depth strategy. While we aim for risk-free, secure environments, incidents like this underscore the importance of proactive and reactive approaches to cloud security.
Want to learn more about this supply chain compromise? Join a discussion with our threat research team on everything you need to know about the XZ Utils vulnerability.
