I think I have just be infected with a RAT. (remote access tool). Off the top of my head, I don’t think Qubes is designed to mitigate that, am I correct?
It does, if you keep your sensitive data in offline qubes.
But a RAT has access to the desktop and the pull down menus, they could use the menus to access my offline qube’s documents.
In fact, they opened the file manager of Dom0
This suggests that either you installed something in dom0, or the
attack jumped from an online qube (where something was installed) to
dom0. Qubes is designed to mitigate the latter, so this would be a
serious breach.
Can you immediately take that system offline and run some forensics to
try to identify what has happened?
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
1 Like
well, there is no need to panic. I am a teacher. all my documents are sooner or later public to a degree.
But I think the infection chain goes like this: attacker attacks sys-net. since sys-net has no defenses, they installed a RAT. Then using the GUI’s pull down menus it accessed the various menus and opened file manager to Dom0 just to show me.
I think the only defense I can do is use my VPN. I think the Qubes designers must be on drugs to have missed that attack vector.
Well … like unman said: code that runs in sys-net can‘t access the rest of the machine. No gui etc. There must have been some traversal to dom0 (or help by the person at the keyboard) to do this.
For forensic imaging I‘d recommend dcfldd.
well I do know that the attackers have attacked the modem. For example they can mitm me and block access to dns.
As a mitigation, I have hardened fedora by uninstalled apps, blocked unneeded network protocol kernel modules, masked some services.
And I added a pfsense firewall between the modem and my internal network.
Sys-net has no access to GUI? Are u sure of that?
What about some API?
Dont let my casual reply mislead you. I am fully concerned. I am a security+ cybersecurity teacher.
The attack was not aided by me. I was on another machine. And when I returned I found the File Manager to Dom0 open.
forensics is my weak spot. I am not very well versed in that. Without a EDR I am helpless.
That’s good to know.
Are you able to identify how the attackers were able to jump from
sys-net to dom0? This is a key vulnerability that should be reported to
the security team, if you can identify it.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
I can only make educated guesses for the attack, If u say sys-net has no gui, then it could be api access; unless that is blocked somehow too.
As I said, forensics is my weak spot, I will try to read the logs ( I don’t even know where they reside on Qubes, I only have 2 months experience on Qubes ) I have already panic’d and did a forensics no no by rebooting the system without doing a ram-image or dd-image.
If you wish, I can make a clonezilla image and snail mail it to the security team. Supply me the address if you want it.
As a end user client, at this point, i want some re-assurance that opening a file manager window to dom0 is as far as they can go, and that the system is still safe to use.
If you supply me the location of the logs that matter, I will do some digging around.
I’m pretty sure you just opened the file manager in dom0 by accident. It’s very, very unlikely that a trivial malware/RAT could escape the VM and infect dom0. That would require a 0-day exploit for the Xen Hypervisor plus privilege escalation. Infecting sys-net doesn’t grant access to other qubes or control over dom0 itself. Also, dom0 doesn’t have internet access. Theoretically, a RAT couldn’t run on dom0, since it would require an internet connection to enable remote desktop access. This is probably just paranoia, and you accidentally opened the file manager in dom0 without realizing it.
1 Like
Additionally, opening the file manager is not an obvious action for an attacker, even in Dom0.
A compromised sys-net could try to spoof a Dom0 terminal window, but it would have the coloured decoration - normally red - indicating it’s origin. Not clear what would be the point of that, unless a student was messing around…
Similarly, a compromised usb (or other) mouse could open the app “blind”, but I suspect it would need a keyboard to be able easily to do anything harmful… unless an operator could see the screen.
Since we are on the topic of sys-net being hacked… does running sys-net as dvm increase security significantly? What’s the downside? Only that I have to type in my wifi password every time?
No, that’s not possible. It exists no filemanager or other tool, that can access dom0 from any qube. If communication between dom0 and any qube is required, it is triggered and controlled from dom0. And dom0 has no network connection.
It exists no filemanager to dom0 from any qube. All communication between dom0 and any domu instance is triggered, runned and controlled from dom0. It is a one-way process, no matter, in which direction informations are transported.
Only dom0 can send files from dom0 to domu and also only dom0 can send files from domu to dom0.
The person seems to be BSing. Says and knows little.
It increases security to some extent, since exploits would die at
restart.
To avoid the pw repetition, simply place them in the disposable
template.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.