Achray In Practice: The XZ Utils Backdoor

We've created a demonstration of Achray cybersecurity anomaly detection product. In brief, we monitored a simulated office network as the XZ Utils backdoor (CVE-2024-3094) is deployed to one workstation. This backdoor was first noticed by Andres Freund and documented signatures are now available for most cybersecurity tools. We wanted to know if Achray would be able to detect the deployment (before exploitation) of the backdoor without any signature or forewarning.

/images/LibXZ_All_Observations.png — Overall plot of all event timings being logged.

From a mass of logging timings in an active development environment, Achray was able to pick out the machine and subsystem behaving anomalously within 75 seconds of the backdoor being deployed; without any background knowledge or key signature.

/images/LibXZ_Anne_SSHD.png — The relevant feature and point in time selected by Achray.

Achray specializes in recognizing new threats without requiring extensive metadata or background knowledge, or as Dr. Clift likes to say: "It's always easy to find the bottom of the curve looking back; it's much harder to do it without hindsight". The full details of the test will be published in an article shortly.

Menu