Last week, security circles were left in disbelief after a critical vulnerability was discovered in a popular tool in Linux – only narrowly avoiding the mainstream as experts pointed the blame at an anonymous state actor.

Described as a ‘backdoor’ exploit, the vulnerability affected an extremely popular open-source compression software called XZ Utils and was seemingly designed for unauthorised access to affected systems at the level of any authorised administrator.

The exploit, which was picked up by Microsoft software engineer Andres Freund, was only weeks away from potentially reaching popular Linux distributions Red Hat and Debian – and given the majority of global servers run Linux, the ramifications could have been completely catastrophic.

As tech and security YouTuber SavvyNik points out, if left unchecked it could have surreptitiously embedded itself into a countless number of cloud infrastructures, enterprise servers and even personal computers running Linux operating systems such as Ubuntu, Red Hat and Debian.

“We’re lucky that it didn’t get widespread,” said SavvyNik.

“If we wouldn’t have been able to detect this exploit, it could have gone on for a much longer period.

“We’re talking months or even years.”

Security experts speculate had the exploit not been detected, the attacker could have used it to gain unauthorised access to sensitive data and execute further attacks, potentially compromising critical infrastructure such as defence networks, transportation, financial systems and power grids reliant on Linux.

And while the vulnerability itself is a highly technical one, security observers have been surprised to find simple social engineering played a major role in the would-be security crisis.

Social engineering at its finest

Social engineering involves psychologically manipulating victims into taking security-compromising actions – such as giving up passwords or sensitive data – under false pretences.

Conventional examples of social engineering typically see employees opening the door to a restricted area to someone claiming to be a maintenance worker, or a phishing victim handing over their card details to someone who says they’re from the tax office.

In the XZ Utils exploit however, the attacker fooled a lead developer of the open-source software into granting them access to the project’s code.

The pseudonymous attacker Jia Tan first contributed code to XZ Utils in April 2022, and remained a contributor for nearly two years.

Tan made approved, legitimate contributions and gradually built up their reputation among the XZ Utils community, before eventually pressuring the volunteer owner, Lasse Collin, into granting them the status of trusted maintainer for the project.

Tan reportedly did this by using anonymous ‘sockpuppet’ accounts to publicly criticise and emotionally coerce Collin, creating the false impression Collin was failing the XZ Utils community and needed the assistance of other volunteers.

While Tan was ostensibly helping to alleviate some responsibility from Collin, they eventually used their trusted status to quietly deploy the XZ Utils backdoor exploit.

Not just a technical issue

While the technical prowess and long-term effort of Tan’s exploit has led experts to speculate they may be an anonymous state actor, it would have been altogether impossible without the simple use of social engineering.

Jason Murrell, Independent Chair of Cyber Security Certification Australia and co-founder of cyber security organisation MurFin Group, said the XZ Utils exploit highlights the importance of human awareness in cyber security.

“It’s a common mistake to assume social engineering only targets non-tech workers through phishing exploits,” said Murrell.

“The XZ Utils incident underscores that even trusted developers can be manipulated and can likewise manipulate others.”

Murrell explained social engineering is a threat which “transcends technical expertise”, citing an experience he had in a cyber security startup where a lead technical developer fell for social engineering tactics as part of an internal phishing test.

“We had an in-house developer, who was highly skilled and technically capable, fall for one of our own internal phishing tests while trying to make a purchase through his PayPal account,” said Murrell.

“Thankfully, the incident occurred in a safe environment, but it’s situations like this which demonstrate how big of a mistake it is to assume social engineering only targets non-tech workers.

“Professionals of all levels, including those of technical roles, need to remain vigilant.”

In June 2022, Collin wrote his “ability to care” for the project had been limited due to “long-term mental health issues”, going on to mention he had been working with Tan and forecasting a “bigger role in the future” for the eventual backdoor hacker.

“If an attacker is trying to access your systems – especially for a decent-size business or a sensitive piece of software – they’ll often hunt for the right leverage on someone,” said Murrell.

“Regardless of expertise, attackers can manipulate even the most skilled professionals into compromising their security.

“With more and more sensitive data being exposed – whether through oversharing on social media or data breaches at the likes of Medibank – those looking to socially manipulate victims have plenty of ammunition at their disposal.”

On social networking platform Mastodon, open-source developer ‘Glyph’ said the incident should serve as a wakeup call for the security industry.

“I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever,” said Glyph.

Thankfully, Tan made a fatal human error themself by deploying the exploit with a traceable impact on computing resources – enabling Freund to detect something was awry in XZ Utils and notify the open-source community of the backdoor threat.

Developer platform GitHub has since suspended both Tan’s and Collin’s accounts.