Linus Tech Tips' YouTube channels were hacked due to a session hijacking attack

Wow, OK. I guess Sandboxie doesn't safeguard against this, does it? Doing online banking now, I have to open the email to get the confirmation code so I'm diligent not to open anything else while I'm on the bank site. Then, I close the browser and let SBIE clean it out.

Ultimately, the user has to bear the brunt of the responsibility but I wonder if the network filtering function can help with this (using an enhanced sandbox).

 

I’m curious if Webroot identity shield could have protected those cookies.

 

So how could this have been prevented?

 

Well, acc. to Linus, they were phished w/malicious email that contained some kind of info stealer that hijacked their session cookies and this enabled the operators to access the channel's contents.

Sometimes emails can be so convincing, though, and it happens a lot, esp. if one is distracted, in a hurry or whatever. It seems YouTube has to increase security measures on their end too but what exactly I didn't get. Maybe MFA instead of 2FA? Although once the login is stolen, that becomes useless.

 

From the link in post #1:

I would think outbound application firewall control set to default-deny should at least prevent the cookies from being sent to the mother ship.

 

Indeed, but that applies only to security aware users, but to put it simply, not getting infected works as well. As far as browser threats go, container/isolated tabs should work, if enabled that is, so common Chrome/Edge users are out of luck.

 

Well of course, but it's nice to have reliable security in place to bail out users making poor decisions, especially in a company with 80 employees, at least as of April 2022.

Sure, but this was a phishing email attack.

 

By not opening the infected email attachment.

 

I agree.

 

Interesting read for the victim-blamers?

https://jonaharagon.substack.com/p/linus-tech-tips-hacked-whos-to-blame

 

I have yet to see a detail analysis, how those attacks work, where they originate, if no malware is present or executed by the user, but it is no different from other malware, using scripts, powershell and lolbins.
So a simple security should prevent it, but not so simple for commons users, even using a safer DNS could prevent a payload download, smartapp will prevent an unsigned executables, max UAC and etc.

Source: https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass

 

From that article:

Agree with this assertion, and not only to mitigate the damage done from a hack, but also the business is primarily responsible for preventing hacks. Educating employees on cyber security is an important measure amongst many that can help.

Admittedly I've been one who on numerous occasions have mostly blamed the end user for falling victim to phishing email scams in these forums, although I usually refer to a home user, but there is no way to eliminate the "human factor" from the equation, and that is why strong and reliable security measures should be in place, such as least privilege, system hardening and security applications and hardware, especially for businesses where the "human factor" for tripping up is multiplied potentially many times that of a home user on a magnitude of tens, hundreds or even thousands.

 

I guess you guys didn't read my topic, see link. Tools that block cookie exfiltration will stop this, so at least in theory tools like Webroot and HMPA should block it. You can also block access to browser profile with Secure Folders. But someone really needs to test this stuff.

https://www.wilderssecurity.com/threads/cookie-stealing-the-new-perimeter-bypass.447085/

I don't believe this stuff helps, because I assume these info stealers can bypass firewalls by injecting code into the browser, which allows them to use the browser itself to send out the stolen data, but I'm not sure.

 

Good point, especially if the browser is being utilized to send the cookies, but is it, or is it a malicious process sending the cookie info?

EDIT

I vaguely remember reading that, but that was a long time ago and before long, all these topics become a blur to me.

 

That's not clear to me, I need to do some more reading about these type of info-stealing malware. I would be surprised if they didn't try to bypass firewalls with for example code injection.

 

I was checking out the link you provided a few posts above, and it looks like one of the attacks they describe via an email scam uses legitimate msbuild.exe to grab and exfiltrate cookies to a remote server. I'm speculating only, but maybe a similar method was used in the Linus Tech Tips attack.

Another attack utilizes Powershell, so blocking that should prevent that type of attack as well. At the end of the day, there are probably numerous ways of preventing the various types of these cookie stealing attacks.

 

Thanks. I ended up watching his video about it. Crazy stuff. I would imagine more user training would help, however getting compromised sadly is only one click away.

 

This is what I should have stated in the first place.

 

I would be good at work as we block Powershell for all end users. But like you said they likely have numerous ways to extract and send this information home to the mother ship. In the back of my head I knew this was possible, but have not done much research to mitigate this for my end users. Nice to se SophosX can stop this but there has to be better ways to lock systems down to prevent it or at least stop it in its tracks.

@Rasheed187 Did not see your post but have now read it. Thanks.

 

Sadly this is not something the user can do, the issue is on the server side. 2FA is in a sense obsolete. Services has to address this, but they do not know how or they want to avoid it, since it compromises the usability, like when an user is suddenly using a different IP, it should trigger a verification, but that would cause an inconvenience. Either way this can not be ignored any longer, because it is getting out of hand. We will see something new before the end of the year.

 

I sure hope so man. Time will tell.

 

The Malware that hacked Linus Tech Tips. A video from The PC Security Channel.
https://www.youtube.com/watch?v=nYdS3FIu3rI

 

Yes, I think you're right. I have done some reading about the RedLine Stealer and it makes use of several system processes, so I guess it's these processes that will try to connect out to upload the stolen data. Which brings me to the question, aren't these hacked people using firewalls? For example, TinyWall blocks ALL except a few processes from making outbound connections, so it should be able to block such an attack.

https://www.pcrisk.com/removal-guides/17280-redlinestealer-malware
https://cloudsek.com/blog/technical-analysis-of-the-redline-stealer