My Channel Was Deleted Last Night.

[LapsedMemory]

18 minutes ago, Bitter said:

Maybe instead of getting emails with attachments for sponsorships they should setup a portal through which offers are submitted in text with only specific attachment types allowed. Content submitted to the portal can be opened in a computer or VM that's a sandbox and not logged into any accounts. Create a new position 'intake administrator' who's job it is to double check that things being passed onto the less technically savvy members of the team are clean.

Then lockdown incoming emails to strip or reject attachments to the marketing team. It'll make things slightly more annoying but it would entirely bypass this method of attack in the future or any copy-cat attempts which are going to be coming now.

 

I do wonder if maybe something like my old PFsense box which had virus scanning on the fly for all incoming/outgoing traffic might have picked up on something like this?

If they have Office 365 or Google Apps, then both have options for setting up shared cloud space for uploading files.  GoogleDrive, OneDrive, or Sharepoint would all make good transfer portals for stuff like that.  

 

We quarantine all attachments and use Sharepoint as a web-based filesharing site.

[LapsedMemory]

2 hours ago, CoolJosh3k said:

The malware used to perform the attack is made for Windows. The vast majority of it will be.

 

Linux, Mac or other platforms would be much safer to manage accounts from.

You know which malware was used for this attack?  Because there are a number of them out in the wild now that will work on all 3 systems.  Not saying this was one of them, but it's getting less and less safe to assume these attack vectors are Windows exclusive. 

[earthman06]

On 3/24/2023 at 4:26 PM, s3r4pH said:

I never heard about CDR, what does it stand for. Can you explain further?

It stands for "Content Disarm & Reconstruction". Tools that do CDR basically takes a file, stript it from any malicious content and construct it again with only its safe features.

 

it doesn't matter if the file is malicious or benign, If it is known or not by AV engines, and its a fairly fast process (unlike sandbox for example) so you could actually incooperate it on a cooperate's mail server where every email passes CDR before getting to the end user for example. 

 

I have been dealing with it for years and it is really THE solution for handling with social engineering attacks that incooperate malicious files

[earthman06]

On 3/24/2023 at 4:33 PM, GodAtum said:

Why no antivirus??

Anti virus cant help if it doesn't have the signature of the file

[KazInVan]

15 hours ago, Arika S said:

Yes. it's unrelated to the OS.

Macs are definitely less susceptible to malware.

[KazInVan]

6 hours ago, earthman06 said:

Anti virus cant help if it doesn't have the signature of the file

That is plain wrong.  Next gen AV doesn't even use signatures at all.  

[LONG-TIME-LTT-FAN]

I see the site link for the Tesla scam is still appended to many of the video descriptions the fake site appears to have been nuked and all the decent virus checkers and browsers seem to have flagged it anyway.  But the cleanup continues I guess 

[earthman06]

5 hours ago, KazInVan said:

That is plain wrong.  Next gen AV doesn't even use signatures at all.  

Ok, so how do they detect zero day attacks?

[KazInVan]

48 minutes ago, earthman06 said:

Ok, so how do they detect zero day attacks?

By looking at what each process is attempting to do.  Cylance is still the best endpoint AV tool out there in terms of ability to prevent compromise and they don't use signatures at all.  I have tested multiple AV tools against the same viruses in a lab setting, Cylance was the only app that passed all tests.  

[GFox]

Mistakes happen I guess, but your employees should never be allowed to open attachments from anyone on regular work computers, and neither should you. Best practice would be to use an isolated device, and preferably open the attachment inside a sandboxed virtual machine.

 

Never rely on Google's security, they're either too stupid or they don't care.. I have no clue how someone changing the channel name, and purging videos en mass doesn't warrant asking them to reauth..

 

I'm sorry you had to go through this Linus. Remember, what doesn't kill you makes you stronger.

[Redcodi]

Big oof, really surprised that this was possible to happen though!

[CoolJosh3k]

2 hours ago, TechlessBro said:

Not quite, they are as or more susceptible. They just have lower market share so less profit in writing malware for them. Apple users data is also more likely

cloud based so attacking poor password and pins is easier and quicker.

Way more to it than that.

 

For example, the way software is distributed.

The way that software is all signed by Apple, unless you override it and ignore the huge warnings.

Much of the underlying code is based on Unix and adapts from open source code.

 

Yea, it sure is possible for malware to happen, but even if there was a much more massive drive for hackers to write malicious applications targeting Apple products, there are far more security checks in place.

[KazInVan]

9 hours ago, TechlessBro said:

All AV is pretty much equal overall.

Definitely not.

[Bitter]

9 hours ago, TechlessBro said:

Firewalls etc especially pfsense wont fix issues like this. What if the user is out of office or on mobile?

pfsense is a home user solution. LTT is a business so needs a corporate solution with thought, planning and redundancy.
This also assumes the attachment was in the email not a link to a file on the web.

VM, VPN will not fix this, they are point solutions and just add complexity and more attack surface.

 

A device like PFsense would catch a malicious link if it's scanning all incoming/outgoing traffic for malware and it could block suspicious traffic from weird ports or odd addresses. I mean just blocking the whole set of IP's from Russia would probably be a solid start to reducing thefting malware's chances of reporting home.

 

I ran a PFsense for about 4 years with strict settings, pretty amazing what it could do! Sadly the case it was in used a special PSU that died and with increasing internet speeds it became a bottleneck. I just never bothered to rebuild it. Stealing raw mp3 files from the local cache left by streaming Pandora was an interesting find tho! No DRM!

[GFox]

6 hours ago, devilinpants said:

Does anyone actually know what antivirus software they use? I am going to look at changing if I am using the same thing.

Don't rely on an antivirus.

 

The built in solution that comes with windows is plenty for most people and perhaps Malwarebytes on top is all you need. The best way to stop malware is to practice proper cybersecurity hygiene. In this particular case, email is never secure, so don't open email attachments from anyone you're not 100% sure you know. If you have to, you can set up a sandboxed virtual machine and open attachments in it. 

 

I also understand why Google and YouTube should take most of the blame for this, but it's also up to us users to know that Google isn't secure, like not at all, and isn't designed to be. Google is an ad businesses, that's what makes them money, that's what they care about, and they don't care about security at all. The proof is in the pudding: someone was able to change the channel name (I believe multiple times), even the at(@) handle, and mass delete thousands of videos, all from a completely different IP that LTT never used in all likelihood, without being prompted to reauth just once. This level of security is pathetic, and wouldn't be acceptable for software that's designed to handle the inventory of a convenience store. Hell, this is up there with storing unhashed passwords on your server level stupid.

[CoolJosh3k]

8 hours ago, TechlessBro said:

Yeah but this isn’t a very technical forum so made it simple attack motive based.

 

Apple users are on average less technical and easy to get to bypass Apple security. Same way enable macros on word worked for decades.

 

Its all just social engineering and ignoring alerts. Apple can do as much as you like but the OS stuff isn’t much use if your cloud password is poor. Or they pepper spray and take unlocked phone etc which is super common.

 

Also please don’t not trigger the Apple and BSD people.

I think the very first thing that would have stopped the attack on a Mac, is that it would let you know it is a program and ask if you want to run it.

[CoolJosh3k]

7 hours ago, devilinpants said:

Does anyone actually know what antivirus software they use? I am going to look at changing if I am using the same thing.

This kind of attack could take various forms and one difference mechanisms to evade detection and trick the user into running it.

 

Every AV will vary in which mechanisms bypass it. The best AV will cover more, but still might/might not catch something another does.

 

Unfortunately due to how AV works, most can’t be run along side another. You have to choose and hope.

[CoolJosh3k]

1 hour ago, GFox said:

Don't rely on an antivirus.

 

The built in solution that comes with windows is plenty for most people and perhaps Malwarebytes on top is all you need. The best way to stop malware is to practice proper cybersecurity hygiene. In this particular case, email is never secure, so don't open email attachments from anyone you're not 100% sure you know. If you have to, you can set up a sandboxed virtual machine and open attachments in it. 

 

I also understand why Google and YouTube should take most of the blame for this, but it's also up to us users to know that Google isn't secure, like not at all, and isn't designed to be. Google is an ad businesses, that's what makes them money, that's what they care about, and they don't care about security at all. The proof is in the pudding: someone was able to change the channel name (I believe multiple times), even the at(@) handle, and mass delete thousands of videos, all from a completely different IP that LTT never used in all likelihood, without being prompted to reauth just once. This level of security is pathetic, and wouldn't be acceptable for software that's designed to handle the inventory of a convenience store. Hell, this is up there with storing unhashed passwords on your server level stupid.

I’d agree with being aware and practicing safe habits is the most effective, but even so sometimes stuff will make it through.

When a user makes a mistake, whether due to lack of knowledge or human error, having a good AV there to back you up is incredibly valuable.

Windows Defender isn’t awful, but it is also not good. It will miss plenty of stuff and has been shown to lack rather old, but serious detections. Plus a proper AV will still work really good even without an internet connection for those who might not always have one.

[CoolJosh3k]

On 3/26/2023 at 3:02 AM, LapsedMemory said:

You know which malware was used for this attack?  Because there are a number of them out in the wild now that will work on all 3 systems.  Not saying this was one of them, but it's getting less and less safe to assume these attack vectors are Windows exclusive. 

Running an executable on Windows is way easier.

Having a seperate OS (or virtual machine) specifically just to do stuff like uploading videos would significantly limit the capabilities of this kind of cybercrime. You’d do all your correspondence and video editing on one machine, then transfers the results to the cheaper system that just deals with the upload.

[Biohazard777]

Just a heads up @CPotter, @LinusTech
searching for Techquickie and Techlinked channels still shows the Tesla logo:

 

 

 

Tried from Incognito / Private browser mode, 2 browsers, with a VPN from a couple of different countries...
So this seems not to be just a local cache or regional server cache issue.

[Arika]

On 3/26/2023 at 2:38 AM, Vishera said:

why does Linus look like Walterific?

[Adrian Stephenson]

On 3/25/2023 at 7:47 PM, Adrian Stephenson said:

More clean-up work is needed at LTT. The scammers still have links on some videos.

Looks like it is fixed now.

[earthman06]

On 3/26/2023 at 8:36 AM, KazInVan said:

By looking at what each process is attempting to do.  Cylance is still the best endpoint AV tool out there in terms of ability to prevent compromise and they don't use signatures at all.  I have tested multiple AV tools against the same viruses in a lab setting, Cylance was the only app that passed all tests.  

Thats interesting.

Im not an av expert, but what you are describing sounds to me like how sandbox works. Functionality is great, but at the cost of performance. 

How is Cylance performance overall from your impressions?

[captain_to_fire]

On 3/26/2023 at 1:36 PM, KazInVan said:

By looking at what each process is attempting to do.  Cylance is still the best endpoint AV tool out there in terms of ability to prevent compromise and they don't use signatures at all.  I have tested multiple AV tools against the same viruses in a lab setting, Cylance was the only app that passed all tests.  

I'm pretty sure that is not true. While every endpoint protection program uses so-called "ML algorithms, pattern matching, and cloud sandbox detonation", they still have to use signatures to rapidly inoculate other users from the said malware. If patient 0 was infected by a new malware with detection evasion techniques, that AV would still lock that file and upload it to a remote sandbox for detonation or if it needs manual intervention of a security analyst, then they deploy signatures to inoculate others. Heck even those so called ML detection algorithms require new signatures made by human experts because malefactors will always try to figure out how an AV algorithms work until they can bypass them. That's how all AV programs work. Now if a company has an EDR sensor, then it can spot changes into endpoints regardless if the EPP was able to detect it or not.

 

[captain_to_fire]

On 3/24/2023 at 7:29 PM, s3r4pH said:

Dude, it is a common method to minimize the risk of this. Go check this on Youtube please

VPNs won't protect you against spear-phishing emails because it doesn't require the attacker knowing their victim's true IP address. All they need is to craft an email that looks like a legit sponsor spot through reconnaissance, this will more likely bypass most spam filters.