⚠️ WARNING: Sabrent's Official Website Has Malicious Fake Firmware (DO NOT DOWNLOAD)
Vložit
- čas přidán 22. 05. 2024
- I'm sure it will get taken care of quickly now, but it might be too late for all the people who downloaded it already 🙁
⇒ Become a channel member for special emojis, early videos, and more! Check it out here: czcams.com/users/ThioJoejoin
If anyone wants to research the malware, I've added the sample to MalwareBazaar, it can be found with the hash: 3cfbdc299777aa885bd92fbf8098a86abf91db9d401cab601004ccb89bb8e8ee
▼ Time Stamps: ▼
0:00 - Intro
0:51 - The Specific Malicious Downloads
1:12 - How Do You Know?
2:32 - Not The Only One
3:39 - Inside The Rar Archive
6:27 - Is There More?
7:53 - The Word Doc File
9:57 - How Did This Happen?
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
• My Gear & Equipment ⇨ kit.co/ThioJoe
• Merch ⇨ teespring.com/stores/thiojoe
• My Desktop Wallpapers ⇨ thiojoe.art/
⇨ / thiojoe
⇨ / thiojoe
⇨ / thiojoetv
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬ - Věda a technologie
Update: As anticipated, Sabrent removed the files (apparently within minutes of the video going up). They posted an update in the reddit thread here (comment directly linked): www.reddit.com/r/SomeOrdinaryGmrs/comments/1c3uvop/sabrent_hosting_malware/kzkwcm3/
It could be a supply chain attack where the one of the suppliers of the USB chip software got compromised who then passed on the bad firmware update to the hub manufacturer and so on. Though that would still leave the question why the filename on the download page was different from the one actually downloaded. In any case it's a shame and surprise the malware took so long to be fully recognized for what it is. Hopefully we'll see some updates in the future after Sabrent figures out what happened. And hopefully, if indeed any other companies sourcing updates from the same supplier have been affected, it gets discovered quickly.
strange how companies do not really get anything done till it goes up as news on youtube with users having >1M subs inspite of being aware of it
Just insane how a big company like sebrent after the first malicious file which they responded to didn't then look into more of there files it's a very big concern to have a Trojan in your firmware updates
I worked for many companies as a software engineer, any kind of uploads/downloads are always being scanned with anti varus modules, this is pure incompetence and a sign of lack of security mindset at the company.
we all love running CCP malware from and official firmware update website :\D
@@MetsLand In the post, it mentions that they did respond and that it was a possible supply chain attack. They couldn't have known unless they personally ran them, in which even HP doesn't. But yes, a major security issue.
Extra scary whenever you can download from official sites and still get malware
Beware of sites like CNET too.
@@sr2291, oh yeah, they always sketch me out. I'm usually worried about hidden bundleware or adware with those kinds of sites.
Supply Chain Attacks are where threat actors have started to pivot. The recent one for the compression libraries in Linux is another example.
if you use GNU/Linux-libre then this attack can't happen to you due to the lack of closed source firmware. yes someone called Jia Tan did TRY to hack the planet in a way that bypassed that but because of the overwhelming power of open source software, he was immediately caught and stopped
I'm scared, please hold my hand!
The fact they did not investigate all their download files speaks volumes about the integrity and/or intelligence of the techs at Sabrent. They should have taken the website offline until cleaned and protected.
Exactly! I suspect that it was someone at Sabrent who got the legit files and attached a RAT. Either that or some CCP spy. Either way, I will be avoiding Sabrent like the plague.
my guess is that they have a ton of disorganized overseas employees and one of their employees is misbehaving but they cant figure out who yet
Yea that’s pretty concerning considering there’s only about 250 downloads listed and half of them are just user manuals. Wouldn’t have been hard to look through all the installers
@@ThioJoe Unfortunately, this isn't the first time an official site has had this issue. A while back, there was a Minecraft mod site having similar problems
It's not just the time or effort, they should feel responsible enough to cut the site until they figure out where the malware files came from.
If you become aware that you are hosting a malicious piece of software, you investigate, and if you confirm it you suspend all downloads then do an entire security audit of all the files you offer. You don't just take down the one file and call it a day.
Suspend all downloads THEN investigate.
@@alexdrockhound9497 Correct. My mistake.
@@alexdrockhound9497 naah, there is people lying and making false accusation only for the purpose of harming a company, so you should atleast do a initial investigation and verification, before taking down anything.
In some countries, you have the "penalty of perjury" which means if someone does a false accusation - doesn't need to be to a government agency, its enough to another private person, its illegal and could get you caught for "perjury", but many countries (especially large parts of EU) where "penalty of perjury" only applies when you express the lie to a government agency, meaning if you lie to a third party which then goes to a government agency, its not your fault, meaning it could in these countries be totally risk free going around and lying to companies and people.
Since the law does not always protect you from lies, always do a basic initial verification before taking down anything. Theres too many instances where administrators or moderators ban someone purely based on lies (and print screens are astonlishy easy to spoof today where there is the built-in "Inspect" function in every browser today - you don't even need to get the correct font of the text you are fraudulently changing).
So verify first before taking any action.
They are not security people. The person who writes on reddit is likely customer support.
Then contact the customers!!
Having a virus on a commercial download page is sloppy, but it can happen. Failing to take action and needing to be prompted is inexcusably shameful. Having the virus propagate through their corporate system and appear in other downloads and Sabrent NOT being aware let alone catching it is incompetence and negligence. This is one of the ways you can identify a low quality company.
some hardware companies are completely clueless about security, TCP/IP networking and software in general outside of their own niche drivers and firmware. this should be a wake up call for them to hire more security researchers
It's a pity as they had some good products
To me the worst part was their support telling someone it was a false positive, despite clearly having no idea
Sabrent is now saying that a cloud backup "accidentally' placed the malware back on their server. Either these guys are totally incompetent or extremely careless. This is not a good look for a tech company.
I vote for incompetent
I think the cloud backup restoring them is actually likely. I found the reddit post and they updated it, they said it is a supply chain attack and could affect other manufacturers.
@@HexcedeI don't know if I can believe that "it was a supply chain attack", that would mean Sabrent got infected firmware from a 3rd party and simply put it on their site, they did no testing of said firmware, and Sabrent also would have had no antivirus or security software running to detect it if it was ever opened, and on top of that the filename of the download is wrong.
Seems like a deflection to me... It has to be internal, or they are claiming some heavy duty incompetence at many levels!
looks very intentional to me, esp. given after they acknowledged the issue, still didn't remove or even check for all of the infected files on their "official" website - better stay away from such companies, miles away
Both incompetent and careless.
Just checked and it's still up and decided to do some analysis in a VM. It starts off installing itself into the program data folder and sets itself to run on startup. That WOULD be pretty easy to remove, but, the scary part is, is that appends itself onto lots of random exes in the system and user directories! Luckily, it's easy to spot because the metadata of the infected programs is also replaced. But wow, I haven't seen a virus infect other exes for a while, I think it's most common nowadays to just take the user data and run at startup without touching other things.
wow that reminds me of those MS DOS viruses in the 90s and stuff lol
Sheesh
Lol nice
classic trojan... that it weird that someone would use such an easily detected/removable piece of trash like this in 2024... but do we know what it does?? is it a key logger and sending it back to base?? did you check to see if it opened any network connections?
if i had not watched the video i would have guessed someone at sabrent got infected and it spreadits way into the file.
Thanks for getting the word out on this. Sabrent replied to my Reddit message right after this video went up. It appears to be removed.
For those asking about why a HUB would need a firmware update. My friend (the author of the email) could not use a thumb drive plugged into the HUB. He was getting a not enough power warning. This was something I saw people running into in the amazon reviews and stating that there was updated firmware to fix it. So, the HUB was basically unusable with a storage device from the factory.....the fix for that issue contained a RAT from the same factory it seems.
Sabrent are dodgy. The warranty registration form I filled in a couple of years back required an invoice be uploaded as proof of purchase. I received an email confirmation with an unauthenticated public link to the uploaded invoice from a non-Sabrent tenant, and when i asked Sabrent to remove the public file stored in an S3 bucket they claimed they had no control of it and didn't know how it got there.
Their products aren't terrible, but the company is a shambles.
Someone at the company got pwned or this is a deliberate action by someone at the company. Either way Sabrent needs to assume everything is suspect until independently checked. This isn't a false positive.
It would also be possible that there is rouge employee doing this on their own, though that is not very common
@@Octahedran Maybe the same person that's supposed to prevent this is the one doing it. That's why they refused to do anything after the community manager raised the alert.
Perhaps China wants to spy on us thru a US proxy.
@@Octahedran I like when typos add a little bit of levity to a serious matter. Yours does exactly that. A 'rouge' employee versus a rogue employee. The employee was probably a little red in the face for some reason and decided to go rogue. Again, I am not trying to be the spelling police.
That's why I always scan the executables on VT no matters where I download them.
Also, be careful with people telling you "It's just a false positive", if VT is detecting your file as malware on 50 different antivirus engines, maybe it's not a false positive...
What's VT? I have legit nver heard of it.
@@dragon1130 Virus Total
@@dragon1130 virustotal
@@dragon1130 virus total. It's a website.
@@dragon1130VirusTotal
8:14 I translated using DeepL and this is what I got: FW Burning Procedure
Double-click on the mouse to open 1, 2, 3; and
Second, mouse click 4;
No. 5 as shown in the figure to choose;
No. 6 mouse click the arrow pointed [...] respectively
No. 7 according to the figure prompted to select the BIN file.
The 8th mouse click can be.
I can read Chinese, the translation is largely accurate.
So is the maleware taking control of your mouse to do somehting?
@@dragon1130 No its just insturctions
@@dragon1130 These are legitimate instructions on how to flash the firmware. The person who created those instructions is probably not the one who created the malware.
Thank you for this confirmation and warning! A couple weeks ago I was in a back-and-forth email argument with Sabrent US Support. Long story short, I just ended up returning the products and went with another brand. The references to "false-positives" were constantly mentioned. Buh-bye Sabrent.
This is exactly why MD5 hashes are listed on websites besides the files and why people should be double checking and verifying things like this. HOWEVER....:
- If an attacker can fake the file, can't they fake the hash?
uhhh no
Only if they also control the website
Sabrent's download site runs on WordPress - my guess is that someone isn't maintaining that instance and messed up real bad.
Edit: Incidentally, Elementor had a major security issue at the start of the year (8th of Dec), where you could upload malicious files etc. from the HTML source code, this downloads site is indeed using Elementor, and they're a little bit behind on their updates.
@ThioJoe
The Chinese text says the following.
114A Programming Tools and Bits
In the file structure going from top to bottom, it says Folder, Configuration Settings, App, Application Extension, Application Extension, Application Extension.
Hope that helps. or at the least shines a light. Thanks for this video. Good job 😋👍
as a consumer owning multiple sabrent products... the sheer fact that this wasnt addressed months ago as evident by the posts shown in the video is deeply concerning. its been months.. months by the timestamp shown on that tomshardware post and because videos are being made about it either that or the reddict account took wind of this video are in full dmg control. meanwhile there is no news story about this let alone any worrying traction.
reputation has essentially went down the gutter
They finally took action (not too long ago) and took (I assume) all of the infected files down. Over half a year later they finally did something. Very telling.
Just got that exact usb hub and was about to download firmware and I saw this, you’re a LIFESAVER!!! W as always :)
What benefit does the new firmware provide? Does it hub better?
@@Fladelerium No idea but it works fine so I won't update it unless it stops working
Oh yes, the joys of outsourcing production to China and then third party Chinese factories and then doing perfunctory safety checks and not even using standard safety tools that someone who took CompTIA security plus could do. And then they did absolutely no internal checks for a month? Smh
Now that's dedication, Thanks man! ❤
8:14 Install Google translate on your phone, point your phone’s camera at the monitor (can also be used to read foreign characters on other mobile devices e.g. tablets). Zoom in on the text on the source device if the translation doesn’t quickly appear. Move your phone physically in/out left/right, up/down if the translation doesn’t make sense as it might not have picked up smaller parts of some characters. Generally pretty accurate to get the intent behind what was written.
Paraphrasing, this says FW burning instructions. Bottom says to click steps 1, 2, 3.
My first thought was that the Sabrent "support" web page was also hacked and the contact number was changed. Bold ? Yes.
Sabrent doing what all commercials seem to do when informed of "bad files" they go straight into head-in-sand mode.
I actually got a Sabrent product from Amazon and I didn't know that there's malware in the firmware files. I am hoping that Sabrent does take down those files and investigate how those files ended up on their website.
*This is REALLY disappointing. : ( The fact that the site/URLs was (& still is?) accessible for several hours doesn't look good at all in re: to Sabrent's business practice priorities.*
*_Going forward, I will definitely now think twice about buying anything from Sabrent. BTW, I own a handful of their products. Thanks for the heads up, Joe! 👍🏼_*
So Saberent has known for a few weeks but still had not removed the files speaks volumes.
Basically Saberent is saying don’t buy our products !!!!
Time to get rid of my Saberent products
thats a bit drastic..
@@IceWolf1102 not really. they have very clearly shown that they are not trustworthy
Thanks for helping us out and keeping us informed! You may have saved a lot of people
Thanks for this excellent analysis
Thank you for this, ThioJoe.
Thank you man ❤❤
Gigaredflag should be in the dictionary 😉
Very interesting.. Thanks for sharing.. Similar to the Solarwinds issue where hackers injected malicious software alongside legitimate software on companies official download site. Even if you follow all the best advice you may still get caught out !
Thx for the info and video!
Great video!! Also very scary and unsettling...
8:47 those chinese looks like instructions for a "114a burning tool" (burning as in burning a disk in the CD era, similar to how you could make a usb stick to install windows these days) for buring FW(which i assume is the short for firmware). this could be something they forgot to remove, not inherently malicious, but could be used to do malicious things, or do it unknowingly, if they got malicious files handed over to them by someone else, which could also be the case since leaving it in is pretty incompetent -- sorry i couldnt provide more since i had no idea there are even fgirmwares for usb hubs before watching this video
It is about burning firmware. Even if these use flash memory these days and not actual EEPROMs, the term is still being used. It looks like legit instructions from whoever made the underlying hardware and supplied to the vendor of the USB hub, but most likely it should not have shipped with the firmware update as-is.
Definitely serious and a corporate website needs to be alerted to clean their website immediately!!
Fire the entire update team from sabrent
Surprisingly, it turns out that's probably the most dangerous course of action to take in this circumstance.
Let's say this whole thing ends up costing them 5 million in revenue. That's a very costly lesson, but the lesson is learned, and the person who made the mistake will be on the lookout for this sort of attack for the rest of his career, and be the biggest advocate for security.
If you keep him, you just spent 5 million training your security analyst.
If you fire him, you just spent 5 million training your competitor's security analyst.
Also, the whole team? Regardless of who made a mistake? The Geneva Convention doesn't really apply to corporations, but I'll go out on a limb and say a company probably shouldn't do things that the Geneva Convention classifies as war crimes.
@@OhhCrapGuy No.
the one who didn't order to make sure all files are what they were was the boss
if he is not fired for this he has no reason to change anything and the thing will repeat
Oh he can punish someone whos responsibilities didn't include checking for security.
I cannot, they don't work for me.
Thanks for informing us of this✔️👍✔️
Thanks Theo for helping us out. This day in age we need all the friends we can get.
Messing your upload schedule for malware is a W 🎉
Well i kinda messed up my upload schedule myself for the past several weeks anyway 💀
@@ThioJoe real💀, btw I love your content I am inspired by your work and am aiming to become a future software engineer
you're good brother, I appreciate your work
Thank you for covering this!
The FW text has been covered, and most of the instructions are just double click here, select this. What is the program itself, though?
Would love to see John Hammond pick it apart to see what it's doing under the hood.
I work for an msp and several of our clients use these hubs thank you so much for this video i have work to do now wiping there machines as a just in case along with any usb sticks they may be using
You're a scholar and a gentleman, sir.
I also noticed a month or so ago... Sabrent's SSC (Sector Size Converter) also gets flagged as malware
Thanks for getting the word out.
Guess the company has been hacked. How else do you change out the official firmware update.
Could be an inside job, or some sort of social engineering attack.
Supply chain attack. If they aren't the ones that write the firmware for their devices, then the Chinese company that did provided infected firmware. They trusted it at face value (foolish) and uploaded it to their website. That's the most likely reason, but we'll likely never know the details.
Gee .. I wonder where the manufacturer is located that created these infected files & promised Sabrent they were safe? I can't imagine ..
Yep, as soon as I saw that they had offices in China, it all made sense.
This is a textbook example of a supply-chain attack. Reminds me of Solarwinds and 3CX.
I don't know if I should be glad or upset that my habit of scanning every single file multiple times is justified.
Both. Both is good.
What do you use to scan
I'm wondering if other hub, USB, external type devices could also be compromised. I've had a 2-slot Rocket Stor hub 'toaster' for years. Never updated the firmware, or even thought too. Scary stuff.
Supply chain attacks are really scary!
I was surprised when I saw the product because I have that exact 7-port hub. This made me curious as to what the firmware update was all about since I've had no issues with it.
At this point I'd hold responsible the persons that said the downloads were safe. That should teach'em to investigate before commenting.
Windows does have the capacity to download driver updates automatically now, right? What's the chance that this is affected by that, too? If they're allowing unsigned binaries to be delivered through Windows Update, that's even more cause for concern.
Microsoft requires drivers to be signed and firmware aint the same thing anyway
Firmware is in device and driver is within windows
@@commanderoof4578 Ah, right, good point. That completely flew past me
@@commanderoof4578 Firmware gets stored on memory within hardware. Like little flash memory chips embedded in PCBs. Drivers will get stored on your ssd or hard drive permanently.
microsoft has already been infected, so the chance is essentially 100%.
@@commanderoof4578/ Some OEM laptops deliver firmware updates via Windows Update server, so yeah it can happen. Although, I doubt it does for peripheral firmwares.
I want to personally thank you for this.. I almost went ahead and installed the HB-PUB-7 Driver on my pc
You don't need a driver for a hub. Windows all the way back to XP already has built-in drivers.
Yikes, perhaps someone has breached their server?
Make sure to comment so you can get this video out.
Yes, it does feel like a website infection, where you are redirected to a malicious rar file, instead of the original driver upload.
supply chains attacks aren't anything new, it's been a thing for quite a long time now. The only difference is, that supply chain attacks have become significantly more scalable compared to 10 years ago.
Considering, a very important linux "part" was literally hijacked via social engineering and installed malware into it, and the only saving grace was the MS employee checking SSH lag time. The shadow war is intensifying.
Why don't they have antivirus software on their servers checking for malware and viruses. Should have all files taken down and renew all files after scanning all of the server.
It never ceases to amaze me how malware can infect your computer or smartphone in so many different, appalling ways. By the way, happy belated 0x20-th birthday
10:50 and Linux requires your drivers to be signed too IF you have secure boot enabled. but if you're able to disable secure boot in your motherboard settings, then it's no longer required for drivers to be signed on Linux. so i guess the same thing applies to Linux as Windows since enabling unsigned drivers is a similar low level setting in Windows
Yeah it’s pretty clear that someone got into the OEM manufacturer’s developer computer and set up a self propagating Trojan. They didn’t do any scanning, and the rebranding seller didn’t bother checking the files. I’d bet without a doubt the problem will be present on all files provided by that particular OEM.
What would be more scary is if this were deliberate. But chances are the OEM downloaded an infected cracked program to burn the Firmware ROM files, knew nothing of the fact that it was infected (if they were using Linux to package it, files beginning with a period are hidden) and just sent it out that way. They likely only ever needed to tweak the config file and change the bin files, they likely never even checked the executable itself. Just changed out the instructions in config . ini and switched the bin files, and copy pasted the rest. Stolen code is pretty common on cheaper Chinese OEMs, and a lot of Chinese companies run Linux.
I wasn’t thinking there might be drivers for my drive docking/enclosure. I dont have any from Sabrent.
8:41
In the folder window it says.
level 2 select this BIN file
level 0 and level 1 select this BIN file.
On the far right of the files listed in the folder window it says BIN statement and BIN Station.
2 Mouse Click 4
Select No 5 as shown;
The 6th mouse clicks on the [...] pointed by the arrow respectively.
DIN file 7
In the paths is says Programming Tools and Bits.
This is the advantage of having your drivers baked into the kernel like Linux, you don't have to go out on the internet and find stuff that could be compromised to install each time.
Ya DarkComet lets you bind the original file to the RAT. Thats why you will see the config. modified you technically don’t need it but they did modify that one also to assist in the infection.
I remember once a couple of years ago, I downloaded a BIOS update for my old Acer laptop from the Acer website that showed up as malware on my computer. I don't know what happened there
My theory would be that Saberent got hacked (either a computer that can help put up drivers or the site itself) a few files were replaced, but not all so that it takes more effort to look into. That would also explain why Saberent is only learning about the files from users.
Thanks 😊
I will be surprised if sabrent wont make any significant changes on how they manage their websites. Very dangerous.
I started using my laptop for gaming and shopping only because I'm scared of getting viruses and breaking my laptop so I don't download much stuff other than games and drawing programs
I've got into the habit of checking the signatures on downloads these days.
I wonder does this affect the firmware that is updated (does it infect the device) or only the os and machine you're using to apply the firmware update?
well there goes my plans for the weekend
WHY did they not pull the download WHILE they investigated? If it was a false positive, they simply reinstate the Download page.
The chinese text "FW ([][][][])" = FW (steps to burn)
Sabrent needs to do a thorough investigation on how they went bankrupt.
the good old "watering hole" attack. don't their security teams checking the download file checksum once a day? 🙃
Never ever ever buying a sabrent product. This is pure negligence
Or you could just not update the firmware. It’s not like the product is non-functional without the update.
@@NinjaRunningWild Having a virus masquerading as a firmware updater on your official site is not a good look and raises many questions. How did they not notice? Do they even check the stuff they upload onto their website? It's a sign of either negligence, incompetence, a malicious actor, or a mixture of all three.
That said, the VAST majority of users will not be effected, given that most users don't even know that SSD firmware can be updated. Sabrent also doesn't have bugged SSDs like the Micron/Crucial MX500 and Samsung 990 Pro as far as I know. I had to install and tolerate Crucial Storage Executive since my MX500 came with bugged firmware that GREATLY increased drive wear.
i think i might be just dumb but, why does a USB Hub need firmware updates?
Well, it doesn't. But, apparently the company fixes minor bugs, functionality, & performance. In theory anyways. I never personally felt a need to update my hub firmware & honestly I'm finding it more surprising that people do this than I am about the supply chain attack.
their website probably got some vulnerability that let's others hijack the upload file page or the download page itself
So now even we have to guard against official website..
this is something horrible..now..
It is like not everything is safe at all!
Screw that.... I just smashed and trashed all the stuff I had from them!
The trust is 100% gone now!
I had a simular issue with other websites. I cant remeber what was downloading but my av caught it!
You dont update the drives that way anyway
Use the sabrent control panel
I think the reasons why the malicious files were in rar instead of zip was 3 reasons:
1. Microsoft recently added rar support to windows for uncompressing
2. Microsoft hides known file extensions by default in windows, so they would appear as just another archive like zip files do
3. The attackers didn't want to overwrite the real firmware files as that might cause suspicion on Sabrent's part. So uploading the same file name with a different extension, in this case rar, and then only changing the link in the download might hide this as Sabrent's IT might only be scanning the files they are expecting to be there, but not checking for any additional files.
Thanks for the warning!
Why do we need a firmware update for an USB hub in the first place?
Something like this happened years ago with Nox Emulator... Old times are back I guess...
I've had multiple Sabrent devices and never once downloaded software or firmware for them. This is part of the reason why.
If it works without installing the manufacturer's driver, that's good enough for me. No need for extra software that can contain malware, including the spying crap companies love to include these days.
A another day of malware
Official sites distributing malware!!! My disappointment is immeasurable and my day is ruined.
Can't wait for bios malware update
They need to supply something to undo the damage. It came from their site so it's their problem no matter what.
"Get ready for some lawsuits" Says the person that probably is too scared of actually contacting anyone about it
Interesting item about the factory (Realtek?) saying it was safe and the file still appearing after it was removed by support...seems like Sabrent is letting their factories upload files directly without validation?
What Software do you use for virtualising for testing potentially malicious code? I tend to use windows sandbox. What is the safest in your opinion?
Scrumptious. Smells like they outsourced to a hacker to me. Or the coder was hacked and replaced files. I wonder if we'll ever know?