Linus Tech Tips, Tech Quickie, Tech Linked channels hacked

[n3ptune_cpu]

5 minutes ago, Mikezz said:

Highly unlikely scenario. 

I still think Redline Stealer was the cause of this

[LightJack05]

Well I guess let's hope it's only the YouTube channels... As someone working in IT, I know that if payment details are involved, or even worse, personal identifiable information... Let's say the sh*t hits the fan...

Good luck with disaster control.

[wanderingfool2]

Just now, Spotty said:

It's not a video, it's just a text message. A copy is pinned to the top of this page if you would like to read it.

I know there is a lot going on...but in terms of the forum, has there been any indication of a breach here?  Just asking, as if they had their YouTube sessions compromised there is a non-zero chance that whatever LTT account was logged into the LTT forum also had the session keys stolen

[digipen79]

The workday at LMG today is going to be a nightmare for everyone who has access to the channels, not that Linus will go off on anyone but having to secure everything is just a slog.

[QuantumSingularity]

Hacking LTT to promote BitCoin via Elon Musk ??!?!?! 

It's like hacking HardwareUnboxed and promoting Nvidia and their politics and business model. 

This truly is peak irony right there. Of all the channel that could've had any success with that stuff, they chose exactly the one where 99% of the people are ready to publicly lynch miners and crypto traders. I still can't stop laughing.

[Moortu]

6 minutes ago, Taf the Ghost said:

LMG's biggest headache is now they can't trust any of the computers on their network until they run a basically deep check on everything. That's the real headache that comes with this.

Perhaps not

I doubt just anyone can log in and upload videos.

So they can narrow it down to computers of people that are able to log in

[LightJack05]

2 minutes ago, n3ptune_cpu said:

I still think Redline Stealer was the cause of this

Hm, if it was redline, the question is how did they get a remote code execution... Who clicked? And what else came in a package with that. They'll probably have some persistence or spreading in there... I hate this stuff, it's such a pain to make sure nothing worse happened, especially with IOT devices...

[wordloc]

Just now, LightJack05 said:

Hm, if it was redline, the question is how did they get a remote code execution... Who clicked? And what else came in a package with that. They'll probably have some persistence or spreading in there... I hate this stuff, it's such a pain to make sure nothing worse happened, especially with IOT devices...

https://blog.avast.com/adobe-acrobat-sign-malware Potentially this, it’s very well executed. 

[Drazil100]

6 minutes ago, A_Button117 said:

The good news is YouTube should be able to put things right back to the way they were. Of course I'm sure they have lost subs before being taken down. This also probably affects their upload schedule they set for the week. 

Honestly this will probably be a net positive for them in the end. LTT is big enough that I am sure they are getting expedited help in restoring the channel so I doubt it will take more than a day. Not only that but now they get to talk about getting hacked in a video or on wan show which I am sure will perform well. 

[LightJack05]

2 minutes ago, wordloc said:

https://blog.avast.com/adobe-acrobat-sign-malware Potentially this, it’s very well executed. 

Interresting... You got a more technical link to that so I can dive into the code or something? Might fire up a Remnux if you can get me a sample.

[wordloc]

3 minutes ago, Moortu said:

Perhaps not

I doubt just anyone can log in and upload videos.

So they can narrow it down to computers of people that are able to log in

Probably only needed to flip one workstation and use it as a proxy so the requests kept on coming from the same IP address (thus not flagging the need for MFA) 

[Drazil100]

7 minutes ago, TheTripleDeuce said:

2FA is fine...unless you use text message 2FA....linus has been hacked through his mobile carrier in the past...

Linus is smart enough to not currently be using SMS for 2FA. Give him SOME credit.

[wordloc]

Just now, LightJack05 said:

Interresting... You got a more technical link to that so I can dive into the code or something? Might fire up a Remnux if you can get me a sample.

https://securityscorecard.com/research/detailed-analysis-redline-stealer/ A detailed analysis that I shared earlier, it’s pretty comprehensive, if you want to play with one you can find it yourself I’m sure. 

[LightJack05]

Just now, wordloc said:

Probably only needed to flip one workstation and use it as a proxy so the requests kept on coming from the same IP address (thus not flagging the need for MFA) 

Yeah could also be a session token stealer or something. That would allow the user to stay authenticated... Although, I think more widespread changes would require 2FA authentication, right?

[wordloc]

Just now, LightJack05 said:

Yeah could also be a session token stealer or something. That would allow the user to stay authenticated... Although, I think more widespread changes would require 2FA authentication, right?

Depends on the changes, reasonably it should and if it didn’t then that’s Google/YTs fault. 

[Mihle]

1 minute ago, Drazil100 said:

Linus is smart enough to not currently be using SMS for 2FA. Give him SOME credit.

LTT got hacked a few years ago, and exactly that was the cause. They def don't use it now, they have stated that they don't.

[Drazil100]

2 minutes ago, Mihle said:

LTT got hacked a few years ago, and exactly that was the cause. They def don't use it now, they have stated that they don't.

That's why I specified "currently" xD

[LightJack05]

5 minutes ago, wordloc said:

https://securityscorecard.com/research/detailed-analysis-redline-stealer/ A detailed analysis that I shared earlier, it’s pretty comprehensive, if you want to play with one you can find it yourself I’m sure. 

Ok. so the downloaded ZIP file just straight up contains the .NET assembly/.exe file? I question that people would fall for that... Also, are you sure Defender wouldn't catch that? Even if it is 400+MB?

[Guest]

1 hour ago, Datanerdje said:

2FA is a scam/hack to get your location and ID better verified. Its an exploit and doesnt contribute to security at all. As a matter of fact your personal security is even worse. 

let me guess, youre wearing your tinfoil hat and reading a book on conspiracies

 

2FA is still streets ahead of password123

[Moortu]

7 minutes ago, wordloc said:

https://securityscorecard.com/research/detailed-analysis-redline-stealer/ A detailed analysis that I shared earlier, it’s pretty comprehensive, if you want to play with one you can find it yourself I’m sure. 

Careful, some are so smart sort of know how to cheat virtual boxes by showing a popup that seems real, and if you click it they can execute outside of the virutal box 

[Wolves of the West]

2fa is better known as two vector authentication.

[n3ptune_cpu]

yeah they definitely don't use SMS 2FA, that is very risky nowadays due to Some Swapping Abuse to carriars

 

[wordloc]

2 minutes ago, LightJack05 said:

Ok. so the downloaded ZIP file just straight up contains the .NET assembly/.exe file? I question that people would fall for that... Also, are you sure Defender wouldn't catch that? Even if it is 400+MB?

I don’t know if defender has updated to check for recent changes 

 

https://www.socinvestigation.com/redline-stealer-returns-with-new-ttps-detection-response/ 

[Takumidesh]

13 minutes ago, QuantumSingularity said:

Hacking LTT to promote BitCoin via Elon Musk ??!?!?! 

It's like hacking HardwareUnboxed and promoting Nvidia and their politics and business model. 

This truly is peak irony right there. Of all the channel that could've had any success with that stuff, they chose exactly the one where 99% of the people are ready to publicly lynch miners and crypto traders. I still can't stop laughing.

I don't think the hackers care. they just want a channel with tons of subscribers so they can blast their scam out there.

[Moortu]

1 minute ago, LightJack05 said:

Ok. so the downloaded ZIP file just straight up contains the .NET assembly/.exe file? I question that people would fall for that... Also, are you sure Defender wouldn't catch that? Even if it is 400+MB?

They actually make the files huge so that they can't be uploaded to totalvirus scan and it takes a while to scan by a virus scanner.

It can even go as far as to not have any bad code at first, but it downloads it later. so when it is first scanned the virus scan will not find anything