Hacked While Using Qubes

Expecting replies saying I’m paranoid, why don’t I provide logs

Was using HVM for StandAlone VM of Linux Distribution with Graphical Interface to display program that will not display in Qubes without it. Standalone VM was connected to sys-whonix.

Standalone VM was doing background process that takes some time to do and required internet. Put system into locked mode and went and ate chicken sandwich and watched movie.

When back the HVM did not display at all. It was not showing in any screens; expected display in fourth screen. It was also still running in list of open Qubes in status tray button showing signs of usage based on bandwidth being monitored in other qube; as some of background processes did require internet. Emergency paused VM and bandwidth decreased by large amount, unpaused and it increased confirming Internet still being used. Killed the VM

Started VM again and went inside the VM and reviewed files. A document had been accessed today. I had not accessed this document today. There were multiple documents in the folder that were also there and not showing as accessed so a process is not accessing all the files. Someone breached the VM through sys-whonix despite the firewall denying incoming connections in the Standalone VM, accessed file, possible access other documents and then something they did stopped the VM display.

The document they accessed was sensitive but not critical. I had not accessed it for days and was only using this Qube for a background process. When I opened the document it changed the document access time to the present time but prior to that it was an earlier time today. I am not drunk or high on drugs and did not access that document prior to the VM display stopping and killing the VM and hadn’t opened it in weeks prior to killing the VM. Nothing would have automatically opened it.

My threat model is not compatible with posted public logs. I do not think there could be any explanation for a new access date/time for a file and an entire Stand Alone window disappearing other than a hack. No new users or groups listed

Moved this thread into the appropriate category.

This sounds indeed like you might have been compromised. There isn’t enough information in your post to say for sure, so I can only give you general feedback:

  • just running things on Qubes OS doesn’t magically protect you from compromise, it does however limit the compromise to the affected qube – that’s kind of the main idea/feature of the OS

  • using sys-whonix as netvm doesn’t stop any attacker, it simply routes your traffic through TOR

  • the firewall blocking incoming traffic does nothing to protect you if you are running malicious code in your qube that is able to establish an outgoing connection

Basically that qube was just as secure as any laptop running that particular install bare metal. What Qubes OS can do is protect all your other qubes from being affected.

Compartmentalization really only helps if your sensitive data is separated in (ideally) offline qubes. A standalone VM is just like any other computer including a persisting root partition.


Do you know the best hardened OS I can run as a StandAlone VM and connect to whonix by installing an ISO?

I installed so little in the StandAlone VM. Was everything in the Qube was compromised? It was running for hours during the hack. There is a limit to how much data they could have received as a result of the connection speed.

Is this more likely to be infected firmware an infected file or being hacked directly from a malicious tor exit node?

I am also wondering if my system itself has been compromised. A qube user may be a more valuable target for a hacker than a regular user. Unpublished expoits certainly exist for my handware even if I don’t know them. Are qubes users and researchers regularly trying to break into dom0 from other qubes to discover vulnerabilities and failing?

I wanted to connect the qube to sys-whonix to make it more likely my connection was unpredictable, but tor nodes are harder to trust.

My connection went from sys-network to sys-firewall to sys-whonix. Were those all compromised too?

It is possible but extremely unlikely that anything other than your Standalone VM was compromised. Is there a particular reason you are not using Whonix workstation?

As for your other questions: they are impossible to answer without a forensic analysis of your machine, which would take a lot of time and is nearly impossible via a forum thread.

If you are at all worried about what happened, then read, understand and follow this guide.

Don’t be shy about asking questions if there are things in the guide you don’t understand.

Side note

Usually we would mutter something about Raising the Bar™, the high costs of targeted attacks, attackers not wanting to burn 0-days, or only nation state actors being able to afford such attacks, and that in case one is on their list of targets, the game is over anyway and no point in fighting. Plus some classic cartoon.

That’s a really good summary of how those threads go. Maybe we can just skip this and go to the recovery?

1 Like

It was a light OS that was likely easily hacked. Think Puppy Linux or Hannah Montana Linux. Probably 0day was not needed.

I’ve dealt with attackers in the past and have gone down many rabbit holes. One explanation you may not have considered is some sort of indexing program that catalogs files on disk. Can’t recall the specific program I noticed doing this in Ubuntu before, but I have seen this. Typically, if an attacker is good enough to access files on your machine, they’re good enough to forge timestamps. A much more suspect pattern would be all or many files all being set to a date a few years in the past. One thing you might do; check timestamps with various methods. Try, stat, ls -l, and any other methods you can dig up. Discrepencies in the different methods are also a red flag. You could even hack some simple C up with stat().

It’s really easy to suspect attackers for benign processes due to ignorance and want to give you some ideas.

Another HUGE red flag would be weird systemd services. In nearly every case of being attacked(I suspect, to be fair), systemd just looked wonky. It’s hard to get a baseline for normal behavior on a compromised machine, but I wouldn’t get super paranoid until I was certain systemd was doing some magic that I couldn’t explain(more magical than it already is, I guess).

“Usually we would mutter something about Raising the Bar™, the high costs of targeted attacks, attackers not wanting to burn 0-days, or only nation state actors being able to afford such attacks, and that in case one is on their list of targets, the game is over anyway and no point in fighting. Plus some classic cartoon .”

IMO this kind of defeatist attitude holds back Qubes and similar projects. A subject of such an attack could provide invaluable data for making Qubes (and others) more secure. Analogous to a reproducible bug for a software engineer.

Also the classic cartoon is a red herring here. He is being remotely compromised (if it really was a compromise). I know it’s a joke but just saying.

It’s not defeatist, it’s an attempt to maintain sanity in a public forum. There is real benefit Qubes OS can bring to users and the topic of the forum is to help users understand what and how Qubes OS can do for them.

These kinds of threads are a distraction from that goal and mostly attract lots of paranoid, unsubstantiated comments. It takes a lot of effort to dispel all the non-sense posted in those contexts. Hence this category being a kind of parking lot for those less constructive threads (in the context of the Qubes OS forum).