⚠️ WARNING: Sabrent's Official Website Had Malicious Fake Firmware
HTML-код
- Опубликовано: 19 июн 2024
- I'm sure it will get taken care of quickly now, but it might be too late for all the people who downloaded it already 🙁
⇒ Become a channel member for special emojis, early videos, and more! Check it out here: ruclips.net/user/ThioJoejoin
If anyone wants to research the malware, I've added the sample to MalwareBazaar, it can be found with the hash: 3cfbdc299777aa885bd92fbf8098a86abf91db9d401cab601004ccb89bb8e8ee
▼ Time Stamps: ▼
0:00 - Intro
0:51 - The Specific Malicious Downloads
1:12 - How Do You Know?
2:32 - Not The Only One
3:39 - Inside The Rar Archive
6:27 - Is There More?
7:53 - The Word Doc File
9:57 - How Did This Happen?
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
• My Gear & Equipment ⇨ kit.co/ThioJoe
• Merch ⇨ teespring.com/stores/thiojoe
• My Desktop Wallpapers ⇨ thiojoe.art/
⇨ / thiojoe
⇨ / thiojoe
⇨ / thiojoetv
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬ Наука
Update: As anticipated, Sabrent removed the files (apparently within minutes of the video going up). They posted an update in the reddit thread here (comment directly linked): www.reddit.com/r/SomeOrdinaryGmrs/comments/1c3uvop/sabrent_hosting_malware/kzkwcm3/
It could be a supply chain attack where the one of the suppliers of the USB chip software got compromised who then passed on the bad firmware update to the hub manufacturer and so on. Though that would still leave the question why the filename on the download page was different from the one actually downloaded. In any case it's a shame and surprise the malware took so long to be fully recognized for what it is. Hopefully we'll see some updates in the future after Sabrent figures out what happened. And hopefully, if indeed any other companies sourcing updates from the same supplier have been affected, it gets discovered quickly.
strange how companies do not really get anything done till it goes up as news on youtube with users having >1M subs inspite of being aware of it
Just insane how a big company like sebrent after the first malicious file which they responded to didn't then look into more of there files it's a very big concern to have a Trojan in your firmware updates
I worked for many companies as a software engineer, any kind of uploads/downloads are always being scanned with anti varus modules, this is pure incompetence and a sign of lack of security mindset at the company.
we all love running CCP malware from and official firmware update website :\D
@@MetsLand In the post, it mentions that they did respond and that it was a possible supply chain attack. They couldn't have known unless they personally ran them, in which even HP doesn't. But yes, a major security issue.
Extra scary whenever you can download from official sites and still get malware
Beware of sites like CNET too.
@@sr2291, oh yeah, they always sketch me out. I'm usually worried about hidden bundleware or adware with those kinds of sites.
Supply Chain Attacks are where threat actors have started to pivot. The recent one for the compression libraries in Linux is another example.
if you use GNU/Linux-libre then this attack can't happen to you due to the lack of closed source firmware. yes someone called Jia Tan did TRY to hack the planet in a way that bypassed that but because of the overwhelming power of open source software, he was immediately caught and stopped
I'm scared, please hold my hand!
The fact they did not investigate all their download files speaks volumes about the integrity and/or intelligence of the techs at Sabrent. They should have taken the website offline until cleaned and protected.
Exactly! I suspect that it was someone at Sabrent who got the legit files and attached a RAT. Either that or some CCP spy. Either way, I will be avoiding Sabrent like the plague.
my guess is that they have a ton of disorganized overseas employees and one of their employees is misbehaving but they cant figure out who yet
Yea that’s pretty concerning considering there’s only about 250 downloads listed and half of them are just user manuals. Wouldn’t have been hard to look through all the installers
@@ThioJoe Unfortunately, this isn't the first time an official site has had this issue. A while back, there was a Minecraft mod site having similar problems
It's not just the time or effort, they should feel responsible enough to cut the site until they figure out where the malware files came from.
Sabrent is now saying that a cloud backup "accidentally' placed the malware back on their server. Either these guys are totally incompetent or extremely careless. This is not a good look for a tech company.
I vote for incompetent
I think the cloud backup restoring them is actually likely. I found the reddit post and they updated it, they said it is a supply chain attack and could affect other manufacturers.
@@HexcedeI don't know if I can believe that "it was a supply chain attack", that would mean Sabrent got infected firmware from a 3rd party and simply put it on their site, they did no testing of said firmware, and Sabrent also would have had no antivirus or security software running to detect it if it was ever opened, and on top of that the filename of the download is wrong.
Seems like a deflection to me... It has to be internal, or they are claiming some heavy duty incompetence at many levels!
looks very intentional to me, esp. given after they acknowledged the issue, still didn't remove or even check for all of the infected files on their "official" website - better stay away from such companies, miles away
Both incompetent and careless.
Having a virus on a commercial download page is sloppy, but it can happen. Failing to take action and needing to be prompted is inexcusably shameful. Having the virus propagate through their corporate system and appear in other downloads and Sabrent NOT being aware let alone catching it is incompetence and negligence. This is one of the ways you can identify a low quality company.
some hardware companies are completely clueless about security, TCP/IP networking and software in general outside of their own niche drivers and firmware. this should be a wake up call for them to hire more security researchers
It's a pity as they had some good products
To me the worst part was their support telling someone it was a false positive, despite clearly having no idea
Just checked and it's still up and decided to do some analysis in a VM. It starts off installing itself into the program data folder and sets itself to run on startup. That WOULD be pretty easy to remove, but, the scary part is, is that appends itself onto lots of random exes in the system and user directories! Luckily, it's easy to spot because the metadata of the infected programs is also replaced. But wow, I haven't seen a virus infect other exes for a while, I think it's most common nowadays to just take the user data and run at startup without touching other things.
wow that reminds me of those MS DOS viruses in the 90s and stuff lol
Sheesh
Lol nice
classic trojan... that it weird that someone would use such an easily detected/removable piece of trash like this in 2024... but do we know what it does?? is it a key logger and sending it back to base?? did you check to see if it opened any network connections?
if i had not watched the video i would have guessed someone at sabrent got infected and it spreadits way into the file.
Sabrent are dodgy. The warranty registration form I filled in a couple of years back required an invoice be uploaded as proof of purchase. I received an email confirmation with an unauthenticated public link to the uploaded invoice from a non-Sabrent tenant, and when i asked Sabrent to remove the public file stored in an S3 bucket they claimed they had no control of it and didn't know how it got there.
Their products aren't terrible, but the company is a shambles.
Someone at the company got pwned or this is a deliberate action by someone at the company. Either way Sabrent needs to assume everything is suspect until independently checked. This isn't a false positive.
It would also be possible that there is rouge employee doing this on their own, though that is not very common
@@Octahedran Maybe the same person that's supposed to prevent this is the one doing it. That's why they refused to do anything after the community manager raised the alert.
Perhaps China wants to spy on us thru a US proxy.
@@Octahedran I like when typos add a little bit of levity to a serious matter. Yours does exactly that. A 'rouge' employee versus a rogue employee. The employee was probably a little red in the face for some reason and decided to go rogue. Again, I am not trying to be the spelling police.
Thanks for getting the word out on this. Sabrent replied to my Reddit message right after this video went up. It appears to be removed.
For those asking about why a HUB would need a firmware update. My friend (the author of the email) could not use a thumb drive plugged into the HUB. He was getting a not enough power warning. This was something I saw people running into in the amazon reviews and stating that there was updated firmware to fix it. So, the HUB was basically unusable with a storage device from the factory.....the fix for that issue contained a RAT from the same factory it seems.
Thank you for this confirmation and warning! A couple weeks ago I was in a back-and-forth email argument with Sabrent US Support. Long story short, I just ended up returning the products and went with another brand. The references to "false-positives" were constantly mentioned. Buh-bye Sabrent.
This is exactly why MD5 hashes are listed on websites besides the files and why people should be double checking and verifying things like this. HOWEVER....:
- If an attacker can fake the file, can't they fake the hash?
uhhh no
Only if they also control the website
That's why I always scan the executables on VT no matters where I download them.
Also, be careful with people telling you "It's just a false positive", if VT is detecting your file as malware on 50 different antivirus engines, maybe it's not a false positive...
What's VT? I have legit nver heard of it.
@@dragon1130 Virus Total
@@dragon1130 virustotal
@@dragon1130 virus total. It's a website.
@@dragon1130VirusTotal
8:14 I translated using DeepL and this is what I got: FW Burning Procedure
Double-click on the mouse to open 1, 2, 3; and
Second, mouse click 4;
No. 5 as shown in the figure to choose;
No. 6 mouse click the arrow pointed [...] respectively
No. 7 according to the figure prompted to select the BIN file.
The 8th mouse click can be.
I can read Chinese, the translation is largely accurate.
So is the maleware taking control of your mouse to do somehting?
@@dragon1130 No its just insturctions
@@dragon1130 These are legitimate instructions on how to flash the firmware. The person who created those instructions is probably not the one who created the malware.
Sabrent's download site runs on WordPress - my guess is that someone isn't maintaining that instance and messed up real bad.
Edit: Incidentally, Elementor had a major security issue at the start of the year (8th of Dec), where you could upload malicious files etc. from the HTML source code, this downloads site is indeed using Elementor, and they're a little bit behind on their updates.
Just got that exact usb hub and was about to download firmware and I saw this, you’re a LIFESAVER!!! W as always :)
What benefit does the new firmware provide? Does it hub better?
@@Fladelerium No idea but it works fine so I won't update it unless it stops working
8:14 Install Google translate on your phone, point your phone’s camera at the monitor (can also be used to read foreign characters on other mobile devices e.g. tablets). Zoom in on the text on the source device if the translation doesn’t quickly appear. Move your phone physically in/out left/right, up/down if the translation doesn’t make sense as it might not have picked up smaller parts of some characters. Generally pretty accurate to get the intent behind what was written.
Paraphrasing, this says FW burning instructions. Bottom says to click steps 1, 2, 3.
@ThioJoe
The Chinese text says the following.
114A Programming Tools and Bits
In the file structure going from top to bottom, it says Folder, Configuration Settings, App, Application Extension, Application Extension, Application Extension.
Hope that helps. or at the least shines a light. Thanks for this video. Good job 😋👍
Oh yes, the joys of outsourcing production to China and then third party Chinese factories and then doing perfunctory safety checks and not even using standard safety tools that someone who took CompTIA security plus could do. And then they did absolutely no internal checks for a month? Smh
as a consumer owning multiple sabrent products... the sheer fact that this wasnt addressed months ago as evident by the posts shown in the video is deeply concerning. its been months.. months by the timestamp shown on that tomshardware post and because videos are being made about it either that or the reddict account took wind of this video are in full dmg control. meanwhile there is no news story about this let alone any worrying traction.
reputation has essentially went down the gutter
They finally took action (not too long ago) and took (I assume) all of the infected files down. Over half a year later they finally did something. Very telling.
I actually got a Sabrent product from Amazon and I didn't know that there's malware in the firmware files. I am hoping that Sabrent does take down those files and investigate how those files ended up on their website.
My first thought was that the Sabrent "support" web page was also hacked and the contact number was changed. Bold ? Yes.
Sabrent doing what all commercials seem to do when informed of "bad files" they go straight into head-in-sand mode.
Now that's dedication, Thanks man! ❤
So Saberent has known for a few weeks but still had not removed the files speaks volumes.
Basically Saberent is saying don’t buy our products !!!!
Time to get rid of my Saberent products
thats a bit drastic..
@@IceWolf1102 not really. they have very clearly shown that they are not trustworthy
*This is REALLY disappointing. : ( The fact that the site/URLs was (& still is?) accessible for several hours doesn't look good at all in re: to Sabrent's business practice priorities.*
*_Going forward, I will definitely now think twice about buying anything from Sabrent. BTW, I own a handful of their products. Thanks for the heads up, Joe! 👍🏼_*
Very interesting.. Thanks for sharing.. Similar to the Solarwinds issue where hackers injected malicious software alongside legitimate software on companies official download site. Even if you follow all the best advice you may still get caught out !
Thanks for helping us out and keeping us informed! You may have saved a lot of people
8:47 those chinese looks like instructions for a "114a burning tool" (burning as in burning a disk in the CD era, similar to how you could make a usb stick to install windows these days) for buring FW(which i assume is the short for firmware). this could be something they forgot to remove, not inherently malicious, but could be used to do malicious things, or do it unknowingly, if they got malicious files handed over to them by someone else, which could also be the case since leaving it in is pretty incompetent -- sorry i couldnt provide more since i had no idea there are even fgirmwares for usb hubs before watching this video
It is about burning firmware. Even if these use flash memory these days and not actual EEPROMs, the term is still being used. It looks like legit instructions from whoever made the underlying hardware and supplied to the vendor of the USB hub, but most likely it should not have shipped with the firmware update as-is.
Thank you for this, ThioJoe.
Fire the entire update team from sabrent
Surprisingly, it turns out that's probably the most dangerous course of action to take in this circumstance.
Let's say this whole thing ends up costing them 5 million in revenue. That's a very costly lesson, but the lesson is learned, and the person who made the mistake will be on the lookout for this sort of attack for the rest of his career, and be the biggest advocate for security.
If you keep him, you just spent 5 million training your security analyst.
If you fire him, you just spent 5 million training your competitor's security analyst.
Also, the whole team? Regardless of who made a mistake? The Geneva Convention doesn't really apply to corporations, but I'll go out on a limb and say a company probably shouldn't do things that the Geneva Convention classifies as war crimes.
@@OhhCrapGuy No.
the one who didn't order to make sure all files are what they were was the boss
if he is not fired for this he has no reason to change anything and the thing will repeat
Oh he can punish someone whos responsibilities didn't include checking for security.
I cannot, they don't work for me.
Gigaredflag should be in the dictionary 😉
Thanks for this excellent analysis
Thank you man ❤❤
Thx for the info and video!
I also noticed a month or so ago... Sabrent's SSC (Sector Size Converter) also gets flagged as malware
Thanks Theo for helping us out. This day in age we need all the friends we can get.
Thank you for covering this!
The FW text has been covered, and most of the instructions are just double click here, select this. What is the program itself, though?
I work for an msp and several of our clients use these hubs thank you so much for this video i have work to do now wiping there machines as a just in case along with any usb sticks they may be using
Definitely serious and a corporate website needs to be alerted to clean their website immediately!!
Thanks for informing us of this✔️👍✔️
Would love to see John Hammond pick it apart to see what it's doing under the hood.
Great video!! Also very scary and unsettling...
Guess the company has been hacked. How else do you change out the official firmware update.
Could be an inside job, or some sort of social engineering attack.
Supply chain attack. If they aren't the ones that write the firmware for their devices, then the Chinese company that did provided infected firmware. They trusted it at face value (foolish) and uploaded it to their website. That's the most likely reason, but we'll likely never know the details.
I don't know if I should be glad or upset that my habit of scanning every single file multiple times is justified.
Both. Both is good.
What do you use to scan
I want to personally thank you for this.. I almost went ahead and installed the HB-PUB-7 Driver on my pc
You don't need a driver for a hub. Windows all the way back to XP already has built-in drivers.
Make sure to comment so you can get this video out.
Gee .. I wonder where the manufacturer is located that created these infected files & promised Sabrent they were safe? I can't imagine ..
Yep, as soon as I saw that they had offices in China, it all made sense.
Thanks for getting the word out.
I'm wondering if other hub, USB, external type devices could also be compromised. I've had a 2-slot Rocket Stor hub 'toaster' for years. Never updated the firmware, or even thought too. Scary stuff.
Windows does have the capacity to download driver updates automatically now, right? What's the chance that this is affected by that, too? If they're allowing unsigned binaries to be delivered through Windows Update, that's even more cause for concern.
Microsoft requires drivers to be signed and firmware aint the same thing anyway
Firmware is in device and driver is within windows
@@commanderoof4578 Ah, right, good point. That completely flew past me
@@commanderoof4578 Firmware gets stored on memory within hardware. Like little flash memory chips embedded in PCBs. Drivers will get stored on your ssd or hard drive permanently.
microsoft has already been infected, so the chance is essentially 100%.
@@commanderoof4578/ Some OEM laptops deliver firmware updates via Windows Update server, so yeah it can happen. Although, I doubt it does for peripheral firmwares.
You're a scholar and a gentleman, sir.
Messing your upload schedule for malware is a W 🎉
Well i kinda messed up my upload schedule myself for the past several weeks anyway 💀
@@ThioJoe real💀, btw I love your content I am inspired by your work and am aiming to become a future software engineer
Why don't they have antivirus software on their servers checking for malware and viruses. Should have all files taken down and renew all files after scanning all of the server.
This is a textbook example of a supply-chain attack. Reminds me of Solarwinds and 3CX.
It never ceases to amaze me how malware can infect your computer or smartphone in so many different, appalling ways. By the way, happy belated 0x20-th birthday
I was surprised when I saw the product because I have that exact 7-port hub. This made me curious as to what the firmware update was all about since I've had no issues with it.
Supply chain attacks are really scary!
you're good brother, I appreciate your work
At this point I'd hold responsible the persons that said the downloads were safe. That should teach'em to investigate before commenting.
Yikes, perhaps someone has breached their server?
Yes, it does feel like a website infection, where you are redirected to a malicious rar file, instead of the original driver upload.
I wonder does this affect the firmware that is updated (does it infect the device) or only the os and machine you're using to apply the firmware update?
I had a simular issue with other websites. I cant remeber what was downloading but my av caught it!
Thanks for the warning!
Why do we need a firmware update for an USB hub in the first place?
I remember once a couple of years ago, I downloaded a BIOS update for my old Acer laptop from the Acer website that showed up as malware on my computer. I don't know what happened there
Ya DarkComet lets you bind the original file to the RAT. Thats why you will see the config. modified you technically don’t need it but they did modify that one also to assist in the infection.
i think i might be just dumb but, why does a USB Hub need firmware updates?
Well, it doesn't. But, apparently the company fixes minor bugs, functionality, & performance. In theory anyways. I never personally felt a need to update my hub firmware & honestly I'm finding it more surprising that people do this than I am about the supply chain attack.
I wasn’t thinking there might be drivers for my drive docking/enclosure. I dont have any from Sabrent.
well there goes my plans for the weekend
I started using my laptop for gaming and shopping only because I'm scared of getting viruses and breaking my laptop so I don't download much stuff other than games and drawing programs
supply chains attacks aren't anything new, it's been a thing for quite a long time now. The only difference is, that supply chain attacks have become significantly more scalable compared to 10 years ago.
Considering, a very important linux "part" was literally hijacked via social engineering and installed malware into it, and the only saving grace was the MS employee checking SSH lag time. The shadow war is intensifying.
10:50 and Linux requires your drivers to be signed too IF you have secure boot enabled. but if you're able to disable secure boot in your motherboard settings, then it's no longer required for drivers to be signed on Linux. so i guess the same thing applies to Linux as Windows since enabling unsigned drivers is a similar low level setting in Windows
So now even we have to guard against official website..
this is something horrible..now..
It is like not everything is safe at all!
Yeah it’s pretty clear that someone got into the OEM manufacturer’s developer computer and set up a self propagating Trojan. They didn’t do any scanning, and the rebranding seller didn’t bother checking the files. I’d bet without a doubt the problem will be present on all files provided by that particular OEM.
What would be more scary is if this were deliberate. But chances are the OEM downloaded an infected cracked program to burn the Firmware ROM files, knew nothing of the fact that it was infected (if they were using Linux to package it, files beginning with a period are hidden) and just sent it out that way. They likely only ever needed to tweak the config file and change the bin files, they likely never even checked the executable itself. Just changed out the instructions in config . ini and switched the bin files, and copy pasted the rest. Stolen code is pretty common on cheaper Chinese OEMs, and a lot of Chinese companies run Linux.
Thanks 😊
You dont update the drives that way anyway
Use the sabrent control panel
I've got into the habit of checking the signatures on downloads these days.
But why do you update firmware for a USB Hub? I always thought those were mostly passive stuff with generic drivers. Also "Deatil Levle" on that config.ini file is suspicious but maybe generic typo too.
I just have a single question: why would a USB hub need a driver update?
their website probably got some vulnerability that let's others hijack the upload file page or the download page itself
Scrumptious. Smells like they outsourced to a hacker to me. Or the coder was hacked and replaced files. I wonder if we'll ever know?
This is the advantage of having your drivers baked into the kernel like Linux, you don't have to go out on the internet and find stuff that could be compromised to install each time.
the good old "watering hole" attack. don't their security teams checking the download file checksum once a day? 🙃
My theory would be that Saberent got hacked (either a computer that can help put up drivers or the site itself) a few files were replaced, but not all so that it takes more effort to look into. That would also explain why Saberent is only learning about the files from users.
A another day of malware
What Software do you use for virtualising for testing potentially malicious code? I tend to use windows sandbox. What is the safest in your opinion?
Never download the latest update in first 5 days of its release be it from Nvidia, Apple or Microsoft or Google or any xyz company except the antivirus updates (which you have no control though).
These companies OS / App / plugin updates were historically always unstable, rushed to release (to impress their shareholders) and damaged integrated hardware. Yes I am saying this since I owned Windows-95 or iOS 5 and even today I stick to my rule and avoided these costly mistakes. And I work in tech and unfortunately a part of the rush update pusher as well ☹️
I will be surprised if sabrent wont make any significant changes on how they manage their websites. Very dangerous.
"Get ready for some lawsuits" Says the person that probably is too scared of actually contacting anyone about it
8:41
In the folder window it says.
level 2 select this BIN file
level 0 and level 1 select this BIN file.
On the far right of the files listed in the folder window it says BIN statement and BIN Station.
2 Mouse Click 4
Select No 5 as shown;
The 6th mouse clicks on the [...] pointed by the arrow respectively.
DIN file 7
In the paths is says Programming Tools and Bits.
The chinese text "FW ([][][][])" = FW (steps to burn)
What purpose would updating the firmware serve? What signs would I see that requires a firmware update for a USB hub?
WHY did they not pull the download WHILE they investigated? If it was a false positive, they simply reinstate the Download page.
Can't wait for bios malware update
Something like this happened years ago with Nox Emulator... Old times are back I guess...
Interesting item about the factory (Realtek?) saying it was safe and the file still appearing after it was removed by support...seems like Sabrent is letting their factories upload files directly without validation?
I just got there hdd to usb device yesterday. Oh well. At least I didn't install any drivers, and used it on a Linux computer.
I've had multiple Sabrent devices and never once downloaded software or firmware for them. This is part of the reason why.
If it works without installing the manufacturer's driver, that's good enough for me. No need for extra software that can contain malware, including the spying crap companies love to include these days.
...I've been downloading their firmware for the NVME enclosures
Am I at risk now?
So we need antivirus software? Is Windows defender enough? Could it prevent this attack if I downloaded malware from Sabrent?