Expecting replies saying I’m paranoid, why don’t I provide logs
Was using HVM for StandAlone VM of Linux Distribution with Graphical Interface to display program that will not display in Qubes without it. Standalone VM was connected to sys-whonix.
Standalone VM was doing background process that takes some time to do and required internet. Put system into locked mode and went and ate chicken sandwich and watched movie.
When back the HVM did not display at all. It was not showing in any screens; expected display in fourth screen. It was also still running in list of open Qubes in status tray button showing signs of usage based on bandwidth being monitored in other qube; as some of background processes did require internet. Emergency paused VM and bandwidth decreased by large amount, unpaused and it increased confirming Internet still being used. Killed the VM
Started VM again and went inside the VM and reviewed files. A document had been accessed today. I had not accessed this document today. There were multiple documents in the folder that were also there and not showing as accessed so a process is not accessing all the files. Someone breached the VM through sys-whonix despite the firewall denying incoming connections in the Standalone VM, accessed file, possible access other documents and then something they did stopped the VM display.
The document they accessed was sensitive but not critical. I had not accessed it for days and was only using this Qube for a background process. When I opened the document it changed the document access time to the present time but prior to that it was an earlier time today. I am not drunk or high on drugs and did not access that document prior to the VM display stopping and killing the VM and hadn’t opened it in weeks prior to killing the VM. Nothing would have automatically opened it.
My threat model is not compatible with posted public logs. I do not think there could be any explanation for a new access date/time for a file and an entire Stand Alone window disappearing other than a hack. No new users or groups listed
Do you know the best hardened OS I can run as a StandAlone VM and connect to whonix by installing an ISO?
I installed so little in the StandAlone VM. Was everything in the Qube was compromised? It was running for hours during the hack. There is a limit to how much data they could have received as a result of the connection speed.
Is this more likely to be infected firmware an infected file or being hacked directly from a malicious tor exit node?
I am also wondering if my system itself has been compromised. A qube user may be a more valuable target for a hacker than a regular user. Unpublished expoits certainly exist for my handware even if I don’t know them. Are qubes users and researchers regularly trying to break into dom0 from other qubes to discover vulnerabilities and failing?
I wanted to connect the qube to sys-whonix to make it more likely my connection was unpredictable, but tor nodes are harder to trust.
My connection went from sys-network to sys-firewall to sys-whonix. Were those all compromised too?
It is possible but extremely unlikely that anything other than your Standalone VM was compromised. Is there a particular reason you are not using Whonix workstation?
As for your other questions: they are impossible to answer without a forensic analysis of your machine, which would take a lot of time and is nearly impossible via a forum thread.
If you are at all worried about what happened, then read, understand and follow this guide.
Don’t be shy about asking questions if there are things in the guide you don’t understand.
Usually we would mutter something about Raising the Bar™, the high costs of targeted attacks, attackers not wanting to burn 0-days, or only nation state actors being able to afford such attacks, and that in case one is on their list of targets, the game is over anyway and no point in fighting. Plus some classic cartoon.
That’s a really good summary of how those threads go. Maybe we can just skip this and go to the recovery?