ADVISORY: SECOND LIFE SECURITY RISK

 It has come to my attention that as of late, malicious actors are propagating viewers in group chats and other means to promote malware posing as SL viewers. These viewers claim to allow you to earn L$ by using them.

The reality is, that the viewer is a trojan horse, a type of malware that disguises itself as a legitimate program, or a program that provides desired features or the sort. According to information on the viewer's operating procedure, the 'viewer' installation process has been modified to, once in a privileged (administrator) state, execute at least four malicious packages:

  • CobaltStrike, a penetration testing (a type of tool used by white-hat (good) hackers to test systems against known exploits) tool that is used to check for attack vectors to install any of the three below:
  • Trojan/Molotov.Reflo - a Remote Access Trojan.
  • Quasar, another RAT, and:
  • AsyncRAT, another RAT.
Remote Administration Tools have legitimate purposes - as I for one use MobaXTerm, which features a plethora of tools for controlling my home server through various means. However, it is simply a client, not a server - RATs like this open backdoors for controlling a computer via protocols like RDP, SSH and others. Through this, they can worm their way into your system, download and steal files, execute code, and monitor you. Through using multiple RATs, they make it more difficult to remove the malware.

Everything on your computer, from your session tokens for Discord, to your cookies (data used for authenticating a browser) on Twitter, from your credit card information stored in a passworded vault, to personal documents and information, is exposed when a RAT is deployed, and usually the best solution in most cases, is to format all drives in a computer, and reinstall the OS, especially when time is precious and crippling the attacker's ability to steal data is paramount - if you can't have it, no one can.

As for these so called features, I'm going to mirror what Inara Pey said on her blog:

1. You cannot earn L$ through using a hacked client. In Second Life, your account's L$ balance is governed by the Linden Exchange server and Account database. You cannot magic L$ into thin air because you downloaded a client to do so, and even if you could, it would require a brazen cyber attack on Linden Lab to do so, something that would net the end users and creators of such software hefty fines and prison time, pursuant to the United States Code, as well as several international treaties on cybercrime.

2. You already can fly above a certain altitude with viewers like Firestorm - and Linden Lab removed the 4096m height limit a long time ago - though building is disabled above those altitudes due to issues relating to floating point value accuracy, which is a subject for another time.

And finally..

3. Building anywhere is not possible, as much like with L$, object control in Second Life is governed by the Simulator and by the Permissions system. Of course, one could just have this be done clientside, but at that point, no one would see it but the end user who placed it there, which defeats half the point of this 'feature'.

There are people out there, who either out of spite of our home, out of profitseeking from your personal data, or from pure unadulterated sadism, wish to deprive you of not just your avatar, but bring chaos into your real life.

As a amateur sysadmin and computer expert, I implore my fellow residents to be vigilant and take the following steps, not just in SL, but everywhere:

  • Do not use the same password twice. If you need help remembering passwords, secure, encrypted password vaults like those offered by Bitwarden are more than sufficient, allowing you to generate strong, random passwords that with current tech, would take years to bruteforce.
  • If and when you do set a proper password, make sure it is long, and features numbers, letters and special characters. Doing so will increase its' complexity to bruteforce.
  • Do not download software from untrusted sources. Much like here, if it is too good to be true, chances are, it is. If someone asks you to try a new game they made, or to click a link, out of the blue, unprovoked, it is likely a scam. Same goes with people claiming they reported your account, and they need you to click on a link to resolve the issue.
  • No company will *ever* ask for your password, 2FA or other Personally Identifying Information unless you have yet to provide it to them as part of signing up, or as part of verifiably, officially requested activity. Linden Lab, Twitter, Discord and nearly every platform provider under the sun, has Administration tools in their backend that allow for them to view your account information and the sort already.
  • Check the URL of a link if you're uncertain about its' origin. Paste it into a notepad, and then run a google search on the domain (i.e. : https://www.secondlife.com; https://www.google.com) to learn more.
  • Set up auxiliary points of contact with trusted friends. This can be an alternate account, a email address or even a phone number. If you suspect a friend's account has been compromised, this point of contact can help you reestablish and verify that they have or have not, lost control of their account.
  • USE TWO FACTOR AUTHENTICATION. I CANNOT STRESS THIS ENOUGH. IT ADDS AN ADDITIONAL BARRIER BETWEEN YOUR ACCOUNTS AND MALICIOUS ACTORS. USE IT.
  • Update your Operating System and keep your anti-virus on. If you are using Windows, Windows Defender is more than sufficient to protect you, and is built into the OS. Microsoft isn't a leading Security firm with a NORAD-style command center for cybersecurity for no reason, folks.
  • If you use older computers for certain purposes, or are otherwise forced to use software that may be vulnerable, exercise the law of least privilege - only use the device or software for what you need it for - additionally, if you can, remove its' access to the internet and do not grant it privileged access unless you absolutely have to.
  • Keep backups either on USBs, Cloud Storage or on a secure NAS (Network Attached Storage) device of your important information. Keep a copy of your operating system of choice handy in the event you are a victim of an attack and need to destroy your computer's data and restore from scratch or from a backup. Additionally, keep a copy of somethine like Hiren's Boot CD or other Recovery tools handy. This will allow you to isolate your computer's OS and boot into a clean environment to do a virus scan, if you wish to try and preserve your data.
  • Finally - Only download viewers for SL via this directory, or from the Second Life Website.
And some advice on how to handle an attack:
  • If you have been attacked, don't panic. Disconnect your network or device from the internet immediately - this prevents further damage by an active attacker. Additionally, turn the system that was the initial vector for the attack off. If the time between the attack and you detecting the attack is small enough, the virus(es) may not be able to fully propagate across your network.
  • Take an assessment of the devices on your network and if they may be compromised. If they run the same OS as the attacked device, assume all devices on the network using that same OS (or OS family, i.e. Windows, Mac, Linux, Android, iOS) are compromised.
  • Turn off your router, or unplug the ethernet cable going from the DMARC point (usually a modem, ONT or other device that connects your home network to your ISP) to your router - usually located in the WAN port on the router, if you don't know how to do so already.
  • Once you have been attacked, make attempts to contact financial institutions, trusted friends, and other parties of interest. If you have an SL Premium Account, contact Linden Lab Customer Support and request they lock your account, if you believe your account is at risk or has possibly been compromised.
  • Use repair and recovery tools like Hiren's Boot CD to run a virus check on all affected devices, or take the devices to a computer technician to be disinfected.
  • Once all devices that are assumed to be infected have been cleaned or wiped, reconnect to the internet. Do a BDA (Battle Damage Assessment), figure out what accounts you have are compromised. Was your password vault compromised? Did they get any personally identifying information from you?
  • Once this is done, reset *ALL* passwords for every platform and service you use. Make contact with prior parties of interest and inform them of the situation.

I implore my fellow residents to be vigilant, to be prepared, and be safe. The Internet is both bountiful and dangerous, so be careful out there.

Comments

Popular posts from this blog

The Reality about East River

Regarding Flickr