Linus Tech Tips, Tech Quickie, Tech Linked channels hacked

[wordloc]

If y’all are interested in redline stealers, which this probably was I’d recommend reading 

https://securityscorecard.com/research/detailed-analysis-redline-stealer/ - analysis of how they work 

 

https://blog.avast.com/adobe-acrobat-sign-malware - latest known vector, using legitimate adobe software to proliferate it (17/03/2023) 

[jeevesmkii]

4 hours ago, ramm said:

How the hell does this even happen to something like Linus Tech Tips? Was your password like qwerty123 or something

Well, malware can happen to anyone. Big Youtube creators are big targets. I guess there's some security lessons that LTT can learn here though. Possibly there was some account sharing going on rather than separate account roles for different staff members.Almost certainly they didn't use hardware security keys as a second authentication factor for people who can do serious modifications on their channels. Youtube, unlike a lot of social media companies (cough, instagram, twitter, cough) do provide decent tools for companies running a brand account to do it securely. Just from what I've seen in their videos, LTT seems to cut corners because they think that the company being highly computer literate obviates the need for a dedicated IT person/department which has bitten them in arse several times already.Hopefully this incident will spur them to make some changes in that area.

[n3ptune_cpu]

i think this is what happened

 

- a manager or employee in LTT was searching to downlaod something 
- a google ad was placed on top of the search results with “the download link”
- this “download link” claims to be legit however it’s actually redline stealer
- they copy the site and also abuse discord cdn to distribute the links
- probably that person downloaded it and ran it
- which then now LTT has redline on one of their systems which allows access to the entire channels and accounts 

 

 

it isn’t surprising that it’s all tesla crap since these kinds of hackers use redline to do the exact same thing. i myself got effected by this.

 

[Jammy Dodger]

18 minutes ago, sombradirectory said:

I think we did good... ?

Not really surprised, LTT subs on FP have gone up by over 1000 in the last 2hrs alone. Not sure what impact it has on non-LTT creators, presumably only the backend issues.

[schmism]

8 minutes ago, Flc0 said:

 

 

F*** what now!?

Ya'll forgetting why they built https://www.floatplane.com huh?

Go sign up!

[TheTripleDeuce]

1 minute ago, jeevesmkii said:

Well, malware can happen to anyone. Big Youtube creators are big targets. I guess there's some security lessons that LTT can learn here though. Possibly there was some account sharing going on rather than separate account roles for different staff members.Almost certainly they didn't use hardware security keys as a second authentication factor for people who can do serious modifications on their channels. Youtube, unlike a lot of social media companies (cough, instagram, twitter, cough) do provide decent tools for companies running a brand account to do it securely. Just from what I've seen in their videos, LTT seems to cut corners because they think that the company being highly computer literate obviates the need for a dedicated IT person/department which has bitten them in arse several times already.Hopefully this incident will spur them to make some changes in that area.

i doubt this was a malware hack, this is VERY familiar to the common social engineering compromises that have happened with other youtubers

[Hairless Monkey Boy]

1 hour ago, LinusTech said:

Thanks for the concern everyone. We are still in recovery mode over here and working with YouTube to get everything restored. Will hopefully have a video (or at least an update on WAN Show) to share with you all ASAP, but we want to make sure we get the details right since smaller channels may rely on our experience to help harden their own security.

I do not envy the day you must be having. Deep breaths, Linus.

[Geosmin]

4 minutes ago, n3ptune_cpu said:

i think this is what happened

 

- a manager or employee in LTT was searching to downlaod something 
- a google ad was placed on top of the search results with “the download link”
- this “download link” claims to be legit however it’s actually redline stealer
- they copy the site and also abuse discord cdn to distribute the links
- probably that person downloaded it and ran it
- which then now LTT has redline on one of their systems which allows access to the entire channels and accounts 

 

 

it isn’t surprising that it’s all tesla crap since these kinds of hackers use redline to do the exact same thing. i myself got effected by this.

 

nep nep nepu

[SNeel]

Very sad.

I wish all the best to LTT and hope that it wont take too long until the channel is up and running again!...

[A_Button117]

1 minute ago, SNeel said:

Very sad.

I wish all the best to LTT and hope that it wont take too long until the channel is up and running again!...

The good news is YouTube should be able to put things right back to the way they were. Of course I'm sure they have lost subs before being taken down. This also probably affects their upload schedule they set for the week. 

[linuxlover98]

so why is the lmg clips ,there just moves, mac address, and Channel Super Fun still up they all be under one account like it seems the other ones was 

[Mikezz]

5 minutes ago, n3ptune_cpu said:

i think this is what happened

 

- a manager or employee in LTT was searching to downlaod something 
- a google ad was placed on top of the search results with “the download link”
- this “download link” claims to be legit however it’s actually redline stealer
- they copy the site and also abuse discord cdn to distribute the links
- probably that person downloaded it and ran it
- which then now LTT has redline on one of their systems which allows access to the entire channels and accounts 

 

 

it isn’t surprising that it’s all tesla crap since these kinds of hackers use redline to do the exact same thing. i myself got effected by this.

 

Highly unlikely scenario. 

[Taf the Ghost]

8 minutes ago, wordloc said:

If y’all are interested in redline stealers, which this probably was I’d recommend reading 

https://securityscorecard.com/research/detailed-analysis-redline-stealer/ - analysis of how they work 

 

https://blog.avast.com/adobe-acrobat-sign-malware - latest known vector, using legitimate adobe software to proliferate it (17/03/2023) 

An Adobe vector? That's not good.

[wanderingfool2]

I'm going to guess that it's a cookie hijacking event.  YouTube really could have shut down the majority of these cases if they linked auth with IP and required 2FA when changing any important settings (like passwords, channel name, icons).

 

The best way to stop scammers on a platform like YouTube, make it so the effort required is more than what can be made

 

Any word on whether or not this forum might have been compromised?  Once this is resolved, I still will probably change up my password as a precaution.

 

Well hopefully this is just cookie hijacking and not a virus, although it does beg the question when they have tons of computers why not have a more dedicated PC (or PC's) to do all the YouTube portion, where no one is allowed to open emails, click on links etc, just only YouTube stuff and have it walled off from the rest of the network (or rather it can access SMB and other components but effectively it effectively denies all inbound connections).  This would have prevented something like this from happening, and if made correctly I doubt it would impose that much of workflow bottleneck.

[Robonwars]

Just now, linuxlover98 said:

so why is the lmg clips ,there just moves, mac address, and Channel Super Fun still up they all be under one account like it seems the other ones was 

i would think that all accounts are seperate and the software got on 1 or 2 computers not the whole network

[Taf the Ghost]

LMG's biggest headache is now they can't trust any of the computers on their network until they run a basically deep check on everything. That's the real headache that comes with this.

[Nullentv]

22 minutes ago, LaroTayoGaming said:

The tesla hack happens with a lot of YouTubers. Hopefully YouTube resolves the issue (which in most cases, cookie jacking) as much as possible.

 

Not gonna lie, Password, email and 2FA auth changes needs to be enforced by default as always to not get changed by bots.

 

Also, I wanna recommend the whole ThioJoe video on how RedLine stealers work.

 

 

Sorry this happened Linus. Me and my best friend for life have been watching you to unwind when we don’t want to study IT directly. I appreciate all u do and I hope to see your accounts restored and a influx of new viewers and subs for support.

[Jumurdzsak]

Yo LMG Team,
By any chance would you consider uploading this react video somewhere else as well? 

Good luck with getting everything back into order.

[wordloc]

1 minute ago, Taf the Ghost said:

An Adobe vector? That's not good.

Exactly, if it’s only been known about for a week it’s probably been around for a few weeks/couple of months. LMG doesn’t have the resources to keep someone on top of this so it’s not exactly surprising if that’s how. Especially since they’re posing as a copyright infringement notice. Who wouldn’t click on that as a YouTube creator when it’s obviously delivered by adobe?

[Spotty]

Just now, Jumurdzsak said:

Yo LMG Team,
By any chance would you consider uploading this react video somewhere else as well? 

Good luck with getting everything back into order.

It's not a video, it's just a text message. A copy is pinned to the top of this page if you would like to read it.

[wanderingfool2]

7 minutes ago, TheTripleDeuce said:

i doubt this was a malware hack, this is VERY familiar to the common social engineering compromises that have happened with other youtubers

LTT uses 2FA, which means it pretty much would have had to be someone running a piece of malware (having their cookie sessions stolen).

 

Although then again, malware really is sort of a catch all term, there are ones that steal sessions all the way to ones that propagate through the system (those ones are the worst to deal with because you need to figure out the scope in which it could have spread)

[TheTripleDeuce]

y'all need to realize it was a social engineering attack, the signs are EVERYWHERE

[Robonwars]

1 minute ago, Jumurdzsak said:

Yo LMG Team,
By any chance would you consider uploading this react video somewhere else as well? 

Good luck with getting everything back into order.

the content of the viedeo is summerized on top of this forum post pls go to page 1

[kardiff]

 

Seems like it aligns with what happened. Also concerning if they have/had remote access to an LTT asset.

[TheTripleDeuce]

1 minute ago, wanderingfool2 said:

LTT uses 2FA, which means it pretty much would have had to be someone running a piece of malware (having their cookie sessions stolen).

 

Although then again, malware really is sort of a catch all term, there are ones that steal sessions all the way to ones that propagate through the system (those ones are the worst to deal with because you need to figure out the scope in which it could have spread)

2FA is fine...unless you use text message 2FA....linus has been hacked through his mobile carrier in the past...