Linus Tech Tips, Tech Quickie, Tech Linked channels hacked

[MartyS]

Have to wonder if they will now ban zip files at LMG, I haven't been able to send or receive zip files for a few years where I work because of this method of attack.  Is there still a legitimate reason to send something like an NDA uncased in an encrypted zip file? 

 

Also have to wonder if it was a new PC that was set up and still had the default settings where windows hides the extensions.  Of course if you know about this type of attack and still have default windows settings you would see the fake extension and that would be a clue that something isn't right.   If you see .pdf it would be a flag that it's probably .pdf.scr or some other extension that can run quietly in the background.

 

 

[LogicalDrm]

44 minutes ago, NvidiaFirePro6900XXTX3DPRO said:

Linus explained how their security was compromised, by letting the hackers get access to the session token, but then after all the damage that was done, like mass deleting videos and making unlisted or private public, and then later their channels get terminated, how did they get it running back again with all videos in place, with no damage down? Like nothing had ever happened before.

Merged to megathread. Please use this one thread to discussion that is directly related to what happened.

[QuantumSingularity]

The reason why there is no place 

1 hour ago, leadeater said:

One of the metrics our MFA and authentication looks at is "impossible travel". If a user's location information drastically changes and it's unrealistic it could be legitimate travel then you get forced to re-auth and do MFA. But of course YouTube doesn't offer this far as I know.

That wouldn't exactly help with the simple use of a VPN. There just has to be a simple Lockdown function like on my ancient P30 Pro Huawei phone where you lock everything related to your account. All session tokens are destroyed and all autofill history is nuked. 

[jkr4m3r]

5 hours ago, hazeyez said:

Anyone have an idea of what malware it was? Could have been "AgentTesla." I wish LTT shared the file hash or even the file for security researchers. @LinusTech John Hammond commented on your YT video, he'd like a copy of the file for research. It'd be a cool collab for you two. 

 

I was thinking this very thing, I coincidentally watched his Google hack example video in the morning, a couple of hours before I saw the LTT hack news.

[jkr4m3r]

The real question this entire situation begs: How crazy is it that a wildly successful organization like LMG is entirely dependent on a sh*tty company like YT/Google?

 

Willing to bet 90% of the channels that get taken over by similar hacks are gone forever because the original creators can't get an answer from YT/Google because they don't "rate" high enough on the money scale.

[ottawahacker]

On Linus most recent video, he mentions that someone opened a zip file and extracted a PDF. Either extracting the zip or opening the PDF hacked Colton's computer but I was wondering if anyone has any details on the exact vulnerability that might have been exploited. There was a 7z escalation issue last year but that one seems to involve the help system. Not sure how opening a zip or opening a pdf could launch a malware on a computer.

[Legitsu]

56 minutes ago, QuantumSingularity said:

The reason why there is no place 

That wouldn't exactly help with the simple use of a VPN. There just has to be a simple Lockdown function like on my ancient P30 Pro Huawei phone where you lock everything related to your account. All session tokens are destroyed and all autofill history is nuked. 

in that event you do the following

you assign trust levels to the authencation token

as variables change such as time logged in and ip address you demote the trust level untill the token is no longer trusted

 

addionally rather then imediately logging the client out and requiring a re-auth with 2FA

demoting the trust level could also impact other things like your access to specific fuctions like unlisting vidoes or changing prilivaged channel attributes

 

 

addionally you can simply just do a A-B compairson between two ips and void the token if the ip changes from A to B 

 

also getting a list of known ip ranges for a given ISP is trival 

 

there is no reason for this not to be patched and it should have been patched the very first time it was seen by google

 

No excuse Non nada unexcusable bug is unexcusable 

[Kilrah]

14 minutes ago, ottawahacker said:

On Linus most recent video, he mentions that someone opened a zip file and extracted a PDF. Either extracting the zip or opening the PDF hacked Colton's computer but I was wondering if anyone has any details on the exact vulnerability that might have been exploited. There was a 7z escalation issue last year but that one seems to involve the help system. Not sure how opening a zip or opening a pdf could launch a malware on a computer.

- Nobody said who it was

 

- Malicious or disguised PDF, see 

 

 

[Spotty]

11 minutes ago, ottawahacker said:

Not sure how opening a zip or opening a pdf could launch a malware on a computer.

While pdf files can be used to run malicious scripts, it was likely a malicious executable file that was disguised as a pdf file.

 

The video @Kilrah posted above from ThioJoe gives a good explanation for how these type of attacks typically occur.

[wanderingfool2]

14 minutes ago, ottawahacker said:

On Linus most recent video, he mentions that someone opened a zip file and extracted a PDF. Either extracting the zip or opening the PDF hacked Colton's computer but I was wondering if anyone has any details on the exact vulnerability that might have been exploited. There was a 7z escalation issue last year but that one seems to involve the help system. Not sure how opening a zip or opening a pdf could launch a malware on a computer.

Just now, Spotty said:

While pdf files can be used to run malicious scripts, it was likely a malicious executable file that was disguised as a pdf file.

 

The video @Kilrah posted above from ThioJoe gives a good explanation for how these type of attacks typically occur.

The tl;dr of the video though

attack can name a file "sponsorship_ann[unicode char]fdp.exe" and explorer displays that file as "sponsorship_annexe.pdf".  They set the custom icon to a pdf icon.  So for all intents and purposes it looks like a pdf file. 

 

The reason for zip files though is because emails usually block exe, ps, bat, vbs etc. files.  zips usually aren't blocked (and not all email servers can scan zip files for malicious files)

[Legitsu]

4 minutes ago, Spotty said:

While pdf files can be used to run malicious scripts, it was likely a malicious executable file that was disguised as a pdf file.

 

The video @Kilrah posted above from ThioJoe gives a good explanation for how these type of attacks typically occur.

this is is why you have protected mode and windows smart-screen/defender enabled smart-screen is designed to catch exactly these cases including filename tricks involving blank or unicode chars 

 

and do you know for sure it was a pdf.exe or zip.exe or was it excutable code in a perfectly normal pdf (this is a thing and its litterally why acrobat reader has protected mode) 

[Vishera]

2 hours ago, Spotty said:

I find it hard to believe that you would be going about your day, receive an email from somebody you believed was a business associate with a file attachment you were expecting, download the file then proceed to stop all the work you are doing to log out of all of your accounts and clear cookies before opening the attachment.

Even if you did that as soon as you log back in to those services to resume your work the malware could still be running in the background grabbing those session tokens (even if you think you removed it from the system).

 

If you were that concerned about this type of attack you would simply just use a separate machine or VM to open the attachment, which is far more user friendly than logging out of all of your accounts every time you want to open a file (which you might do hundreds of times throughout the day).

Just use a virtual machine dedicated to opening the attachments

[Spotty]

4 minutes ago, Legitsu said:

and do you know for sure it was a pdf.exe or zip.exe or was it excutable code in a perfectly normal pdf (this is a thing and its litterally why acrobat reader has protected mode) 

I don't. Just speculation based on what is known about other similar attacks. I don't know any more about the file than what was included in the LTT video just saying they opened a pdf (or what they thought was a pdf).

[Shonk]

Called it

[MartyS]

46 minutes ago, wanderingfool2 said:

The reason for zip files though is because emails usually block exe, ps, bat, vbs etc. files.  zips usually aren't blocked (and not all email servers can scan zip files for malicious files)

There is usually also some social engineering where the zip is labeled as sensitive or private information and they use a password protected zip file.  Using an encrypted zip gets through any scanning during delivery of the email.

[Quackers101]

how is this forum now? is this forum having some issues too or still something to iron out?

[Issac Zachary]

3 hours ago, leadeater said:

If you seriously expect and think employees should and will "delete cookies" serval times a day then you are way out of touch and also have extremely unrealistic expectations. Cookies are not themselves even the problem, shoddy systems that allow these to be misused are.

 

If I suspect an email is potentially not legitimate I go look at the headers and verify that way, I will never expect any normal person to do this, not ever. No amount of training someone will change that for me. I do it because such things are part of my job and I'm used to it, this will never be the case for a video editor and business relationship manager.

 

Employee time has a very real cost, burdening them and wasting their time with cumbersome ineffective processes will in the long run cost more than 24 hours of business outage.

 

There is never one thing that is the solution, user education and training is obviously important but there are many other things that are important too.

If only the cookies were white chocolate chip with macademia nuts, I'd delete all the cookies my boss wanted me to delete.

 

But serious, I agree 100%. I mean, sure, you could pay an employee to delete cookies off his computer all day, or you could pay him to do actual work. I've worked in environments where they constantly added more and more of these little additional repetetive steps to the employees without reducing other tasks. In the end, you end up with a bunch of streessed out employees who can't get much done.

 

On the other hand I've seen where something like safety or security gets taken very seriously and everyone gets trained to take all these additional repetetive steps, but they're not expected to get as much work done as if they didn't have to take all these extra measures. That can work just fine when implimented correctly.

 

But seeing how Linus and his team were able to get everything back up and running in such short time I don't see how forcing a bunch of extra repetitive steps is at all necessary. Sure, it could help prevent something like this from happening. But at the end of the day, Linus needs writers, camera crews, editors and engineers, not a bunch of constant cookie deleters that carry around notebooks of passwords so they can log back in every few minutes.

[ottawahacker]

55 minutes ago, Spotty said:

I don't. Just speculation based on what is known about other similar attacks. I don't know any more about the file than what was included in the LTT video just saying they opened a pdf (or what they thought was a pdf).

Would be interesting to know the details. Opening a PDF per-se shouldn't cause these issues, PDF reader might say it is an invalid file but there has to be more to it to install the malware. Did the actual file bypass protected mode/protected view or did the staff have that disabled?

[Quackers101]

also more added security risks with hardware too. think about the memory or storage you could have on your mouse or keyboard.

So even with a VM for different tasks/workspaces, its all connected. or in short, there is more ways to get fucked nowadays with many weak links, not to be wacist or anything.

[LogicalDrm]

23 minutes ago, Quackers101 said:

how is this forum now? is this forum having some issues too or still something to iron out?

Forums were not directly affected by hacks at any point. The hack only targeted 3 main YouTube channels. Not even related Google accounts were affected.

 

The hiccups of today have been rather normal and probably due spikes in traffic while service provider tries to guess how much lane they need to allocate to each hosted site.

 

The downtime yesterday as well as issues with Floatplane registration, payments and video downloads were due abnormally high traffic and hits. Which, in turn, was caused by viewers coming to discuss or show support.

Edited March 24, 2023 by LogicalDrm

[neil_c]

PDF.scr?

[Arika]

Sure are a lot of people with "solutions" that would have prevented this only after having perfect 20/20 hindsight and guarantee that these "solutions" are not in practice by anyone suggesting them...

[ottawahacker]

1 minute ago, Arika S said:

Sure are a lot of people with "solutions" that would have prevented this only after having perfect 20/20 hindsight and guarantee that these "solutions" are not in practice by anyone suggesting them...

Oh not looking for solutions here but rather understanding the root issue to figure out how to mitigate that. Linus mentions some cybersecurity training but I'm wondering beside the usual phishing stuff what kind of advice should be given. You can't ask ppl not to open zip files with PDFs inside (btw that scenario should not break a computer).

[Kilrah]

That's why Linus said they were working with Google on that.

 

Malicious attachments and phishing will always work in some percentage of cases, it's basically a given and well known so extra measures need to exist to not let something that simple be able to have such a wide impact in such cases where misuse is rather obvious.

[Quackers101]

it also works when given no good details about the content.

how many email services that makes it harder to found out the address, the links, added bullshit to links making a lot unreadable or as previously shortened/redirection links.

when there is so much crap or spam added, its hard to know what is what, where legit stuff might feel as unsafe as the attackers. doesnt help this will just grow worse, and as seen with apps too, where one can have a hard time trusting any app unless its blown up and just believe in it. A bit like VPNs and message apps, and so on.

 

but I guess that stuff like this might seem a little interesting, although not really a solution?

from GPT, AI vs AI, to services to add layers for every person for any other service to their devices or tools.

Also knowing what behaviours are "real or not", learned from yourself, so mass deletion sounds off, so it will be disabled and notified.

 

nvidia - Improve Spear Phishing Detection With Generative AI

https://youtu.be/57dEPP67XrY

Edited March 24, 2023 by Quackers101