After a few unsuccessful attempts (maybe caused by my LAN config), I have downloaded Fedora 40 with Gnome Software today and upgraded from Fedora 39 (restart & upgrade).
However, checking my Suricata logs tonight, I noticed an alert about a DNS query potentially linked to the Revil Ransomware.
I would have kept that as my own problem but it seems that the alert has precisely occurred during the download of Fedora 40.
I can’t establish by myself if that’s a false positive or if there could be an actual issue with a Fedora mirror (in this case, it could be a mirror in France), so what’s the proper way to address this type of event please?
Earlier today, I tried to send an email to security@fedoraproject.org but my email has been automatically rejected.
Actually, just to clarify my message : it was not a fresh install to Fedora 40 but an upgrade from Fedora 39. I downloaded it using Gnome Software (nb: just edited my post to clarify it).
It means that Fedora was downloaded - if I understand properly - from a mirror, and this is where my concern comes from with regards to this alert.
each package that you download is signed with a gpg key and checked before install. I consider the likelihood that you download an altered package from a fedora mirror to be very very small.
Hi again @augenauf , yes I know the Fedora packages are signed, indeed, but software SCM issues may happen - eg at a specific mirror -hence my post. But of course, I hope everything is fine.
Hi @barryascott, many thanks for your message. “Correlation is not causation”, we are fully in sync.
Do you have the IP address of the system that did the DNS lookup?
Yes, the IP address of the system that did the look up is known, as this is the system where Fedora 40 was downloaded. It is a private IP address starting with 192.168.xxx.xxx.
Do you have details of the process on that system that did the lookup?
This kind of information doesn’t seem to be present in a Suricata event. Can you please specify what level of detail would you find useful in the present case and also suggest how to get that information ?
Btw, there is no sign of that URL (pointing to a website with a past history linked to the Revil ransomware) in the browsing history.
Is this an enterprise system or a home system?
If you have paid suppot for Suricata then ask them.
What are your security policies when things like this happen?
Do you wipe any system that your security tools points a finger at?
Do you run scanning software to check for malware?
Basically, my post is about sharing with Fedora a potential alert that happened at the same time when I was downloading F40 from, most likely, the or one French mirror.
The Suricata rule, from a specific ruleset, stems from the fact that a number of domains were marked in the REvil config file as CNC. This is outlined in the below article which further explains that it doesn’t mean the websites were all compromised, but some could have been used:
As such DNS query occurred without any known browsing activity, I can’t make a call myself that it’s a false positive.
Thus I have shared the topic here to have it assessed, especially to avoid if there actually was an issue with the F40 download that other users, not having an IDS/IPS set up, might be caught off guard. We all know that’s not likely and I hope that’s not that, but again, I shared that post so that Fedora experts may advise or make the call.
Please let me know if there is anything else I can do here.