CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

XZ Utils Backdoor Discovered in Docker Hub Images

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

The XZ Utils backdoor, discovered in March 2024, continues to pose risks as 35 Docker Hub images containing the backdoor remain available. These images, identified by Binarly, include 12 Docker images and 23 second-order images. The backdoor, designated CVE-2024-3094, allows unauthorized remote access and execution of arbitrary payloads through SSH. The incident highlights ongoing risks in the software supply chain. The XZ Utils backdoor was embedded in versions 5.6.0 and 5.6.1. The backdoor was introduced by a developer named Jia Tan, who had been contributing to the project for nearly two years to gain trust. The incident is considered a sophisticated, state-sponsored operation. The backdoor affects the liblzma.so library used by the OpenSSH server, allowing attackers with a specific private key to bypass authentication and execute root commands remotely.

Timeline

  1. 12.08.2025 21:17 2 articles · 1mo ago

    XZ Utils Backdoor Found in 35 Docker Hub Images

    Researchers have identified 35 Docker Hub images containing the XZ Utils backdoor. These images include 12 Docker images and 23 second-order images. The backdoor, designated CVE-2024-3094, was distributed by Debian, Fedora, and OpenSUSE before being rolled back. Debian maintainers chose to leave the impacted images available as historical artifacts. The backdoor's exploitation requires specific conditions, including running an SSH server inside the container.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations

The UNC5221 activity cluster, attributed to suspected Chinese hackers, has been using the BRICKSTORM malware in long-term espionage operations against U.S. organizations in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It has been used to steal data from various sectors, including SaaS providers and BPOs. The attackers exploit vulnerabilities in edge devices and use anti-forensics techniques to avoid detection. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials, and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. The BRICKSTORM backdoor is under active development, with a variant featuring a delay timer for C2 communication. The attackers have exploited Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) for initial access. The attackers have used a custom dropper to install a malicious Java Servlet filter (BRICKSTEAL) in memory, avoiding detection. The attackers have modified init.d, rc.local, or systemd files to ensure persistence on appliances. The attackers have targeted Windows environments in Europe since at least November 2022. The attackers have been linked to other related Chinese threat actors besides UNC5221. The campaign has been monitored by Mandiant since March 2025. The attackers have targeted downstream customers of compromised SaaS providers. The attackers are believed to be analyzing stolen source code to identify zero-day vulnerabilities in enterprise technologies. The attackers use a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval.

Open in new tab

Malicious nx Packages Exfiltrate Credentials in 's1ngularity' Supply Chain Attack

The Shai-Hulud attack, a self-replicating malware, has compromised at least 187 npm packages, affecting multiple maintainers. The attack uses a self-propagating mechanism to infect other packages by the same maintainer, modifying package.json, injecting a bundle.js script, repacking the archive, and republishing it. The malware uses TruffleHog to search the host for tokens and cloud credentials, creating unauthorized GitHub Actions workflows within repositories and exfiltrating sensitive data to a hardcoded webhook endpoint. The attack is named 'Shai-Hulud' after the shai-hulud.yaml workflow files used by the malware and follows the 's1ngularity' attack, potentially orchestrated by the same attackers. The attack unfolded in three phases, impacting 2,180 accounts and 7,200 repositories. The first phase, between August 26 and 27, directly impacted 1,700 users, leaking over 2,000 unique secrets and exposing 20,000 files. The second phase, between August 28 and 29, compromised an additional 480 accounts, mostly organizations, and exposed 6,700 private repositories. The third phase, beginning on August 31, targeted a single victim organization, publishing an additional 500 private repositories. The attackers used AI-powered CLI tools like Claude, Q, and Gemini to dynamically scan for high-value secrets, tuning the prompts for better success.

Open in new tab

UNC6384 Targets Diplomats with PlugX via Captive Portal Hijacks

UNC6384, a China-nexus threat actor, has been targeting diplomats in Southeast Asia and other entities globally to advance Beijing's strategic interests. The group employs a multi-stage attack chain leveraging advanced social engineering, valid code signing certificates, adversary-in-the-middle (AitM) attacks, and indirect execution techniques to evade detection. The campaign, detected in March 2025, uses captive portal redirections to deliver a PlugX variant called SOGU.SEC. The attacks involve redirecting web traffic through a captive portal to a threat actor-controlled website, downloading a digitally signed downloader (STATICPLUGIN), and deploying the SOGU.SEC backdoor in memory. The malware supports commands to exfiltrate files, log keystrokes, and launch remote command shells. The campaign highlights the sophistication of PRC-nexus threat actors and their evolving operational capabilities. The campaign targeted around two dozen victims, primarily Southeast Asian diplomats, between March and July 2025. The attack chain involved compromised edge devices intercepting captive portal checks and redirecting users to a malicious website. The malicious website used a valid TLS/SSL certificate issued by Let's Encrypt to avoid browser security warnings. The first-stage malware, STATICPLUGIN, dropped a launcher called CANONSTAGER, which used unconventional techniques to hide its activities. The final payload was a variant of the PlugX backdoor, tracked by Google as SOGU.SEC. In September 2025, new information revealed that the PlugX variant overlaps with RainyDay and Turian backdoors, targeting telecommunications and manufacturing sectors in Central and South Asia. The campaign is linked to Mustang Panda, which also uses Bookworm malware. Bookworm has been used since 2015 and includes capabilities to execute commands, upload/download files, exfiltrate data, and establish persistent access.

Open in new tab

Murky Panda, Genesis Panda, Glacial Panda Cloud and Telecom Intrusions

Chinese hacking groups Murky Panda, Genesis Panda, and Glacial Panda have escalated their cloud and telecom espionage activities. Murky Panda, also known as Silk Typhoon, exploits trusted cloud relationships and zero-day vulnerabilities to breach enterprise networks. They target government, technology, academic, legal, and professional services entities in North America. Murky Panda exploits internet-facing appliances and known security flaws in Citrix, Commvault, and Ivanti Pulse Connect VPN to deploy web shells and custom malware. They compromise exposed SOHO devices and deploy web shells to establish persistence. In recent attacks, Murky Panda exploited zero-day vulnerabilities to break into a SaaS provider's cloud environment and gain access to the provider's application registration secret in Entra ID. They also compromised a Microsoft cloud solution provider with delegated administrative privileges (DAP) to gain Global Administrator rights across all downstream tenants. Genesis Panda, active since January 2024, targets financial, media, telecommunications, and technology sectors across 11 countries. They leverage cloud services for exfiltration and persistence. Glacial Panda targets telecoms in 12 countries, exploiting Linux systems and legacy technologies. They use privilege escalation bugs and trojanized OpenSSH components for backdoor access.

Open in new tab

Russian FSB-linked Hackers Exploit Cisco Smart Install Vulnerability for Cyber Espionage

Static Tundra, a Russian state-sponsored cyber espionage group linked to the FSB's Center 16 unit, has been actively exploiting a seven-year-old vulnerability in Cisco IOS and IOS XE software (CVE-2018-0171) to gain persistent access to target networks. The group has been targeting organizations in telecommunications, higher education, manufacturing, and critical infrastructure sectors across multiple continents. The attacks involve collecting configuration files, deploying custom tools like SYNful Knock, and modifying TACACS+ configurations to achieve long-term access and information gathering. The FBI and Cisco Talos have issued advisories warning about the ongoing campaign, which has been active for over a year and has targeted critical infrastructure sectors in the US and abroad. The group has also increased attacks on Ukraine since the start of the war. The vulnerability allows unauthenticated, remote attackers to execute arbitrary code or trigger DoS conditions. Cisco has advised customers to apply the patch for CVE-2018-0171 or disable Smart Install to mitigate the risk. The group has also targeted networks of US state, local, territorial, and tribal (SLTT) government organizations and aviation entities over the last decade. The threat extends beyond Russia's operations—other state-sponsored actors are likely conducting similar network device compromise campaigns.

Open in new tab