today I woke up to an execution error of the relayor playbook.
I then tried to look into the affected node (tor-nl1.skankhunt42.pw; nickname skankhunt42nl1) and couldn't SSH into it. So I went to the hosters VNC console and found a ransomware notice:
Your files are encrypted, requires payment for decrypting
Contact us: Telegram: @cloudcone_raidbot
UUID: bfaa20d9-7b11-417d-a702-cfa95d6c203c
I then tried to boot into recovery and look at the disk but as expected, partition table and ext4 superblocks were gone.
hexdump head of the disk was just the ransomware note shown above.
I was running Ubuntu 24.04 Minimal with ESM enabled and unattended-upgrades, everything else managed by relayor. I obviously checked the other nodes for unsual SSH logins (as they had the same SSH key) and didn't found anything.
I am rotating the keys for now and shut down the VPS at HostSlick. Not sure if there is something to further investigate maybe. What's odd is that I couldn't find anything about "cloudcone_raidbot", doesn't even exist on telegram.
I really want to understand what I did wrong.
Maybe someone with more experience may take a look at it?
Best,
skankhunt42
···
_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org
I was wondering when the Tor mailing list would catch wind of this.
skankhunt42 wrote:
I really want to understand what I did wrong.
Maybe someone with more experience may take a look at it?
You did nothing wrong. Several cheap providers have been attacked by a
script kiddie recently. They merely encrypted the first 512 MiB of the
block device. Note that they do not restore your data even if you pay.
_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org
Oh, and the attack was against the hypervisor node, not your VPS itself.
All VPSes on that node were affected, and there is effectively nothing
you could have done to prevent this, so don't worry about having done
anything wrong.
Regards,
forest
···
_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org
For information, this was made possible because of the crappy control
panel known as "Virtualizor" that many little hosting companies use.
Whenever your start a Virtual Machine, you may notice that it takes
quite a while before it shows as started up, this is because
Virtualizor effectively attempts to read the disks and check for
partitions, if partitions are found, it will mount them then search for
certain files and overwrite them, such as network configuration files.
This cannot be disabled even by the administrator of the hypervisor!
So after compromising Virtualizor, the attacker simply altered the disk
analysis scripts.
It is however possible to prevent Virtualizor from running the
disk analysis scripts by preventing it from mounting your partitions,
one way to do this is by encrypting everything.
But in general, you should always avoid renting a VM from a service
that rely on "Virtualizor".
···
_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org