# [CRIT] The XZ backdoor CVE-2024-3094

**Source:** Snyk
**Published:** 2024-03-31
**Article:** https://snyk.io/blog/the-xz-backdoor-cve-2024-3094/

## Threat Profile

Snyk Blog In this article
Written by Liran Tal 
March 31, 2024
0 mins read On the 29th of March 2024, the high-stakes investment and prolonged campaign to plant a backdoor in the Linux software library liblzma to gain access to multiple operating systems via Linux distributions was carried out by a malicious actor — and arguably succeeded, until a curious engineer noticed a glitch.
Currently known affected upstream software and proposed mitigation:
Asset 
Compromised version 
Safe versions 
CVE …

## Indicators of Compromise (high-fidelity only)

- **CVE:** `CVE-2024-3094`
- **SHA256:** `319feb5a9cddd81955d915b5632b4a5f8f9080281fb46e2f6d69d53f693c23ae`
- **SHA256:** `605861f833fc181c7cdcabd5577ddb8989bea332648a8f498b4eef89b8f85ad4`
- **SHA256:** `8fa641c454c3e0f76de73b7cc3446096b9c8b9d33d406d38b8ac76090b0344fd`
- **SHA256:** `b418bfd34aa246b2e7b5cb5d263a640e5d080810f767370c4d2c24662a274963`
- **SHA256:** `cbeef92e67bf41ca9c015557d81f39adaba67ca9fb3574139754999030b83537`
- **SHA256:** `5448850cdc3a7ae41ff53b433c2adbd0ff492515012412ee63a40d2685db3049`

## MITRE ATT&CK Techniques

- **T1190** — Exploit Public-Facing Application
- **T1195.002** — Compromise Software Supply Chain
- **T1027** — Obfuscated Files or Information
- **T1554** — Compromise Host Software Binary
- **T1574.006** — Dynamic Linker Hijacking

## Kill chain phases observed

_(none detected from narrative keywords)_

## Recommended hunts

### Vulnerable xz / liblzma 5.6.0 or 5.6.1 in software inventory (CVE-2024-3094)

`UC_1266_3` · phase: **delivery** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=t count, min(_time) as firstTime, max(_time) as lastTime, values(Vulnerabilities.signature) as signature, values(Vulnerabilities.severity) as severity from datamodel=Vulnerabilities.Vulnerabilities where Vulnerabilities.cve="CVE-2024-3094" OR (Vulnerabilities.signature IN ("xz","xz-utils","xz-libs","liblzma","liblzma5") AND (Vulnerabilities.signature="*5.6.0*" OR Vulnerabilities.signature="*5.6.1*")) by Vulnerabilities.dest, Vulnerabilities.cve, Vulnerabilities.category | `drop_dm_object_name(Vulnerabilities)` | eval action="downgrade_to_5.4.6" | convert ctime(firstTime) ctime(lastTime) | sort - lastTime
```

**Defender KQL:**
```kql
// Article: only xz/liblzma 5.6.0 and 5.6.1 are compromised; 5.4.6 is the safe downgrade target.
let VulnByCve = DeviceTvmSoftwareVulnerabilities
    | where CveId == "CVE-2024-3094"
    | project DeviceId, DeviceName, OSPlatform, OSVersion, SoftwareVendor, SoftwareName, SoftwareVersion, VulnerabilitySeverityLevel, RecommendedSecurityUpdate;
let VulnByVersion = DeviceTvmSoftwareInventory
    | where OSPlatform !startswith "Windows"
    | where SoftwareName has_any ("xz", "xz-utils", "xz-libs", "liblzma", "liblzma5")
    | where SoftwareVersion startswith "5.6.0" or SoftwareVersion startswith "5.6.1"
    | project DeviceId, DeviceName, OSPlatform, OSVersion, SoftwareVendor, SoftwareName, SoftwareVersion;
union VulnByCve, VulnByVersion
| join kind=leftouter (DeviceInfo | summarize arg_max(Timestamp, OSDistribution, PublicIP, LoggedOnUsers) by DeviceId) on DeviceId
| project DeviceName, OSPlatform, OSDistribution, OSVersion, SoftwareVendor, SoftwareName, SoftwareVersion, CveId="CVE-2024-3094", PublicIP, LoggedOnUsers
| order by DeviceName asc
```

### sshd loads compromised liblzma.so.5.6.0 / 5.6.1 (CVE-2024-3094 runtime trigger)

`UC_1266_4` · phase: **install** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=t count, min(_time) as firstTime, max(_time) as lastTime, values(Filesystem.file_path) as file_path, values(Filesystem.action) as action from datamodel=Endpoint.Filesystem where (Filesystem.file_name="liblzma.so.5.6.0" OR Filesystem.file_name="liblzma.so.5.6.1") AND (Filesystem.process_name="sshd" OR Filesystem.process_name="systemd" OR Filesystem.process_name="systemd-cryptsetup") by Filesystem.dest, Filesystem.process_name, Filesystem.file_name, Filesystem.process_id, Filesystem.user | `drop_dm_object_name(Filesystem)` | convert ctime(firstTime) ctime(lastTime) | sort - lastTime
```

**Defender KQL:**
```kql
// Article: backdoor activates when sshd (via libsystemd) loads the malicious liblzma.so.5.6.0 / 5.6.1.
DeviceImageLoadEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "sshd"
    or InitiatingProcessFileName =~ "sshd"
    or InitiatingProcessFileName =~ "systemd"
| where FileName endswith "liblzma.so.5.6.0"
    or FileName endswith "liblzma.so.5.6.1"
    or FolderPath has_any ("liblzma.so.5.6.0", "liblzma.so.5.6.1")
| join kind=leftouter (
    DeviceInfo
    | summarize arg_max(Timestamp, OSDistribution, PublicIP, IsInternetFacing) by DeviceId
  ) on DeviceId
| project Timestamp, DeviceName, OSPlatform, OSDistribution, IsInternetFacing, PublicIP, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, FileName, FolderPath, SHA256
| order by Timestamp desc
```

### Trusted vendor binary / installer launching unusual children

`UC_SUPPLY_CHAIN` · phase: **exploit** · confidence: **Medium**

**Splunk SPL (CIM):**
```spl
| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime
    from datamodel=Endpoint.Processes
    where Processes.parent_process_name IN ("setup.exe","installer.exe","update.exe")
      AND Processes.process_name IN ("powershell.exe","cmd.exe","rundll32.exe","regsvr32.exe","mshta.exe","wscript.exe","cscript.exe","wmic.exe","bitsadmin.exe")
    by Processes.dest, Processes.user, Processes.parent_process_name, Processes.process_name, Processes.process
| `drop_dm_object_name(Processes)`
```

**Defender KQL:**
```kql
DeviceProcessEvents
| where Timestamp > ago(7d)
| where AccountName !endswith "$"
| where InitiatingProcessFileName in~ ("setup.exe","installer.exe","update.exe")
| where FileName in~ ("powershell.exe","cmd.exe","rundll32.exe","regsvr32.exe","mshta.exe","wscript.exe","cscript.exe","wmic.exe","bitsadmin.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine
```

### IOC-driven hunts (use shared templates)

These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing.

- **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High**
  - CVE(s): `CVE-2024-3094`

- **File hash IOCs — endpoint file/process match** ([template](../_TEMPLATES.md#hash-ioc)) — phase: **install**, confidence: **High**
  - file hash IOC(s): `319feb5a9cddd81955d915b5632b4a5f8f9080281fb46e2f6d69d53f693c23ae`, `605861f833fc181c7cdcabd5577ddb8989bea332648a8f498b4eef89b8f85ad4`, `8fa641c454c3e0f76de73b7cc3446096b9c8b9d33d406d38b8ac76090b0344fd`, `b418bfd34aa246b2e7b5cb5d263a640e5d080810f767370c4d2c24662a274963`, `cbeef92e67bf41ca9c015557d81f39adaba67ca9fb3574139754999030b83537`, `5448850cdc3a7ae41ff53b433c2adbd0ff492515012412ee63a40d2685db3049`


## Why this matters

Severity classified as **CRIT** based on: CVE present, IOCs present, 5 use case(s) fired, 5 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.