Update: As anticipated, Sabrent removed the files (apparently within minutes of the video going up). They posted an update in the reddit thread here (comment directly linked): www.reddit.com/r/SomeOrdinaryGmrs/comments/1c3uvop/sabrent_hosting_malware/kzkwcm3/ It could be a supply chain attack where the one of the suppliers of the USB chip software got compromised who then passed on the bad firmware update to the hub manufacturer and so on. Though that would still leave the question why the filename on the download page was different from the one actually downloaded. In any case it's a shame and surprise the malware took so long to be fully recognized for what it is. Hopefully we'll see some updates in the future after Sabrent figures out what happened. And hopefully, if indeed any other companies sourcing updates from the same supplier have been affected, it gets discovered quickly.
Just insane how a big company like sebrent after the first malicious file which they responded to didn't then look into more of there files it's a very big concern to have a Trojan in your firmware updates
I worked for many companies as a software engineer, any kind of uploads/downloads are always being scanned with anti varus modules, this is pure incompetence and a sign of lack of security mindset at the company.
@@MetsLand In the post, it mentions that they did respond and that it was a possible supply chain attack. They couldn't have known unless they personally ran them, in which even HP doesn't. But yes, a major security issue.
if you use GNU/Linux-libre then this attack can't happen to you due to the lack of closed source firmware. yes someone called Jia Tan did TRY to hack the planet in a way that bypassed that but because of the overwhelming power of open source software, he was immediately caught and stopped
The fact they did not investigate all their download files speaks volumes about the integrity and/or intelligence of the techs at Sabrent. They should have taken the website offline until cleaned and protected.
Exactly! I suspect that it was someone at Sabrent who got the legit files and attached a RAT. Either that or some CCP spy. Either way, I will be avoiding Sabrent like the plague.
Yea that’s pretty concerning considering there’s only about 250 downloads listed and half of them are just user manuals. Wouldn’t have been hard to look through all the installers
@@ThioJoe Unfortunately, this isn't the first time an official site has had this issue. A while back, there was a Minecraft mod site having similar problems
Just checked and it's still up and decided to do some analysis in a VM. It starts off installing itself into the program data folder and sets itself to run on startup. That WOULD be pretty easy to remove, but, the scary part is, is that appends itself onto lots of random exes in the system and user directories! Luckily, it's easy to spot because the metadata of the infected programs is also replaced. But wow, I haven't seen a virus infect other exes for a while, I think it's most common nowadays to just take the user data and run at startup without touching other things.
classic trojan... that it weird that someone would use such an easily detected/removable piece of trash like this in 2024... but do we know what it does?? is it a key logger and sending it back to base?? did you check to see if it opened any network connections?
Sabrent is now saying that a cloud backup "accidentally' placed the malware back on their server. Either these guys are totally incompetent or extremely careless. This is not a good look for a tech company.
I think the cloud backup restoring them is actually likely. I found the reddit post and they updated it, they said it is a supply chain attack and could affect other manufacturers.
@@HexcedeI don't know if I can believe that "it was a supply chain attack", that would mean Sabrent got infected firmware from a 3rd party and simply put it on their site, they did no testing of said firmware, and Sabrent also would have had no antivirus or security software running to detect it if it was ever opened, and on top of that the filename of the download is wrong. Seems like a deflection to me... It has to be internal, or they are claiming some heavy duty incompetence at many levels!
looks very intentional to me, esp. given after they acknowledged the issue, still didn't remove or even check for all of the infected files on their "official" website - better stay away from such companies, miles away
Having a virus on a commercial download page is sloppy, but it can happen. Failing to take action and needing to be prompted is inexcusably shameful. Having the virus propagate through their corporate system and appear in other downloads and Sabrent NOT being aware let alone catching it is incompetence and negligence. This is one of the ways you can identify a low quality company.
some hardware companies are completely clueless about security, TCP/IP networking and software in general outside of their own niche drivers and firmware. this should be a wake up call for them to hire more security researchers
Sabrent are dodgy. The warranty registration form I filled in a couple of years back required an invoice be uploaded as proof of purchase. I received an email confirmation with an unauthenticated public link to the uploaded invoice from a non-Sabrent tenant, and when i asked Sabrent to remove the public file stored in an S3 bucket they claimed they had no control of it and didn't know how it got there. Their products aren't terrible, but the company is a shambles.
Someone at the company got pwned or this is a deliberate action by someone at the company. Either way Sabrent needs to assume everything is suspect until independently checked. This isn't a false positive.
@@Octahedran Maybe the same person that's supposed to prevent this is the one doing it. That's why they refused to do anything after the community manager raised the alert.
@@Octahedran I like when typos add a little bit of levity to a serious matter. Yours does exactly that. A 'rouge' employee versus a rogue employee. The employee was probably a little red in the face for some reason and decided to go rogue. Again, I am not trying to be the spelling police.
This is exactly why MD5 hashes are listed on websites besides the files and why people should be double checking and verifying things like this. HOWEVER....: - If an attacker can fake the file, can't they fake the hash?
That's why I always scan the executables on VT no matters where I download them. Also, be careful with people telling you "It's just a false positive", if VT is detecting your file as malware on 50 different antivirus engines, maybe it's not a false positive...
8:14 I translated using DeepL and this is what I got: FW Burning Procedure Double-click on the mouse to open 1, 2, 3; and Second, mouse click 4; No. 5 as shown in the figure to choose; No. 6 mouse click the arrow pointed [...] respectively No. 7 according to the figure prompted to select the BIN file. The 8th mouse click can be.
@@dragon1130 These are legitimate instructions on how to flash the firmware. The person who created those instructions is probably not the one who created the malware.
For those asking about why a HUB would need a firmware update. My friend (the author of the email) could not use a thumb drive plugged into the HUB. He was getting a not enough power warning. This was something I saw people running into in the amazon reviews and stating that there was updated firmware to fix it. So, the HUB was basically unusable with a storage device from the factory.....the fix for that issue contained a RAT from the same factory it seems.
Sabrent's download site runs on WordPress - my guess is that someone isn't maintaining that instance and messed up real bad. Edit: Incidentally, Elementor had a major security issue at the start of the year (8th of Dec), where you could upload malicious files etc. from the HTML source code, this downloads site is indeed using Elementor, and they're a little bit behind on their updates.
Thank you for this confirmation and warning! A couple weeks ago I was in a back-and-forth email argument with Sabrent US Support. Long story short, I just ended up returning the products and went with another brand. The references to "false-positives" were constantly mentioned. Buh-bye Sabrent.
I've had a similar issue with them, except instead of having a back and forth fight with their "support," I had to wait 3 days for an email response regarding Windows 11 support/drivers for a USB floppy drive. All I got was them telling me it was old. Thank God I didn't have to pay for the damned thing and got it from a company that wasn't using it anymore. I'll be going with a VAIO USB drive from now on.
Oh yes, the joys of outsourcing production to China and then third party Chinese factories and then doing perfunctory safety checks and not even using standard safety tools that someone who took CompTIA security plus could do. And then they did absolutely no internal checks for a month? Smh
as a consumer owning multiple sabrent products... the sheer fact that this wasnt addressed months ago as evident by the posts shown in the video is deeply concerning. its been months.. months by the timestamp shown on that tomshardware post and because videos are being made about it either that or the reddict account took wind of this video are in full dmg control. meanwhile there is no news story about this let alone any worrying traction. reputation has essentially went down the gutter
They finally took action (not too long ago) and took (I assume) all of the infected files down. Over half a year later they finally did something. Very telling.
8:14 Install Google translate on your phone, point your phone’s camera at the monitor (can also be used to read foreign characters on other mobile devices e.g. tablets). Zoom in on the text on the source device if the translation doesn’t quickly appear. Move your phone physically in/out left/right, up/down if the translation doesn’t make sense as it might not have picked up smaller parts of some characters. Generally pretty accurate to get the intent behind what was written. Paraphrasing, this says FW burning instructions. Bottom says to click steps 1, 2, 3.
So Saberent has known for a few weeks but still had not removed the files speaks volumes. Basically Saberent is saying don’t buy our products !!!! Time to get rid of my Saberent products
@ThioJoe The Chinese text says the following. 114A Programming Tools and Bits In the file structure going from top to bottom, it says Folder, Configuration Settings, App, Application Extension, Application Extension, Application Extension. Hope that helps. or at the least shines a light. Thanks for this video. Good job 😋👍
8:47 those chinese looks like instructions for a "114a burning tool" (burning as in burning a disk in the CD era, similar to how you could make a usb stick to install windows these days) for buring FW(which i assume is the short for firmware). this could be something they forgot to remove, not inherently malicious, but could be used to do malicious things, or do it unknowingly, if they got malicious files handed over to them by someone else, which could also be the case since leaving it in is pretty incompetent -- sorry i couldnt provide more since i had no idea there are even fgirmwares for usb hubs before watching this video
It is about burning firmware. Even if these use flash memory these days and not actual EEPROMs, the term is still being used. It looks like legit instructions from whoever made the underlying hardware and supplied to the vendor of the USB hub, but most likely it should not have shipped with the firmware update as-is.
*This is REALLY disappointing. : ( The fact that the site/URLs was (& still is?) accessible for several hours doesn't look good at all in re: to Sabrent's business practice priorities.* *_Going forward, I will definitely now think twice about buying anything from Sabrent. BTW, I own a handful of their products. Thanks for the heads up, Joe! 👍🏼_*
Surprisingly, it turns out that's probably the most dangerous course of action to take in this circumstance. Let's say this whole thing ends up costing them 5 million in revenue. That's a very costly lesson, but the lesson is learned, and the person who made the mistake will be on the lookout for this sort of attack for the rest of his career, and be the biggest advocate for security. If you keep him, you just spent 5 million training your security analyst. If you fire him, you just spent 5 million training your competitor's security analyst. Also, the whole team? Regardless of who made a mistake? The Geneva Convention doesn't really apply to corporations, but I'll go out on a limb and say a company probably shouldn't do things that the Geneva Convention classifies as war crimes.
@@OhhCrapGuy No. the one who didn't order to make sure all files are what they were was the boss if he is not fired for this he has no reason to change anything and the thing will repeat Oh he can punish someone whos responsibilities didn't include checking for security.
I actually got a Sabrent product from Amazon and I didn't know that there's malware in the firmware files. I am hoping that Sabrent does take down those files and investigate how those files ended up on their website.
Supply chain attack. If they aren't the ones that write the firmware for their devices, then the Chinese company that did provided infected firmware. They trusted it at face value (foolish) and uploaded it to their website. That's the most likely reason, but we'll likely never know the details.
Windows does have the capacity to download driver updates automatically now, right? What's the chance that this is affected by that, too? If they're allowing unsigned binaries to be delivered through Windows Update, that's even more cause for concern.
@@commanderoof4578 Firmware gets stored on memory within hardware. Like little flash memory chips embedded in PCBs. Drivers will get stored on your ssd or hard drive permanently.
@@commanderoof4578/ Some OEM laptops deliver firmware updates via Windows Update server, so yeah it can happen. Although, I doubt it does for peripheral firmwares.
Well, it doesn't. But, apparently the company fixes minor bugs, functionality, & performance. In theory anyways. I never personally felt a need to update my hub firmware & honestly I'm finding it more surprising that people do this than I am about the supply chain attack.
Thank you for covering this! The FW text has been covered, and most of the instructions are just double click here, select this. What is the program itself, though?
Why don't they have antivirus software on their servers checking for malware and viruses. Should have all files taken down and renew all files after scanning all of the server.
Ya DarkComet lets you bind the original file to the RAT. Thats why you will see the config. modified you technically don’t need it but they did modify that one also to assist in the infection.
supply chains attacks aren't anything new, it's been a thing for quite a long time now. The only difference is, that supply chain attacks have become significantly more scalable compared to 10 years ago.
Considering, a very important linux "part" was literally hijacked via social engineering and installed malware into it, and the only saving grace was the MS employee checking SSH lag time. The shadow war is intensifying.
What can we expect from company that only sells oem products from china? And as it seems they do not even check files provided to them by the manufacturer (like spyware from china never happened before.. sure) initially I thought that the website was compromised, but 90% that it's not, cause they'd most likely replace all files with malware, or at least more popular ones. And the last question I have is: "why you even make usb hub that needs its firmware to be updated, or bricked?" Device that vasically have one function and for decades has no accessble firmware, now needs one and have gliches..
It's a good thing there is no dire need to update Sabrent firmware at the moment. If they had bugged firmware like some variants of the MX500 or early 990 Pros this could be much worse.
Never download the latest update in first 5 days of its release be it from Nvidia, Apple or Microsoft or Google or any xyz company except the antivirus updates (which you have no control though). These companies OS / App / plugin updates were historically always unstable, rushed to release (to impress their shareholders) and damaged integrated hardware. Yes I am saying this since I owned Windows-95 or iOS 5 and even today I stick to my rule and avoided these costly mistakes. And I work in tech and unfortunately a part of the rush update pusher as well ☹️
wait there is firmware for usb hub lol ... mine one just plug and play and it worked ( which is actually good thing as having to update firmware for every device could be risky as it may cause issues or worst case scenarios HAVE VIRUS IN IT xD )
@@NinjaRunningWild Having a virus masquerading as a firmware updater on your official site is not a good look and raises many questions. How did they not notice? Do they even check the stuff they upload onto their website? It's a sign of either negligence, incompetence, a malicious actor, or a mixture of all three. That said, the VAST majority of users will not be effected, given that most users don't even know that SSD firmware can be updated. Sabrent also doesn't have bugged SSDs like the Micron/Crucial MX500 and Samsung 990 Pro as far as I know. I had to install and tolerate Crucial Storage Executive since my MX500 came with bugged firmware that GREATLY increased drive wear.
Is sabrent Chinese?......... they seem to have an office there but also appear to make themselves look to be an American based company in LA........... they I believe are in shenzen china
I wonder does this affect the firmware that is updated (does it infect the device) or only the os and machine you're using to apply the firmware update?
honestly i wasn't even aware that updating a usb hub was a thing aren't they supposed to be just dummy devices what is this do saberent usb hubs have bluetooth or some smart function like turn of the light
I work for an msp and several of our clients use these hubs thank you so much for this video i have work to do now wiping there machines as a just in case along with any usb sticks they may be using
I started using my laptop for gaming and shopping only because I'm scared of getting viruses and breaking my laptop so I don't download much stuff other than games and drawing programs
I'm wondering if other hub, USB, external type devices could also be compromised. I've had a 2-slot Rocket Stor hub 'toaster' for years. Never updated the firmware, or even thought too. Scary stuff.
Very interesting.. Thanks for sharing.. Similar to the Solarwinds issue where hackers injected malicious software alongside legitimate software on companies official download site. Even if you follow all the best advice you may still get caught out !
But why do you update firmware for a USB Hub? I always thought those were mostly passive stuff with generic drivers. Also "Deatil Levle" on that config.ini file is suspicious but maybe generic typo too.
10:50 and Linux requires your drivers to be signed too IF you have secure boot enabled. but if you're able to disable secure boot in your motherboard settings, then it's no longer required for drivers to be signed on Linux. so i guess the same thing applies to Linux as Windows since enabling unsigned drivers is a similar low level setting in Windows
Yeah it’s pretty clear that someone got into the OEM manufacturer’s developer computer and set up a self propagating Trojan. They didn’t do any scanning, and the rebranding seller didn’t bother checking the files. I’d bet without a doubt the problem will be present on all files provided by that particular OEM. What would be more scary is if this were deliberate. But chances are the OEM downloaded an infected cracked program to burn the Firmware ROM files, knew nothing of the fact that it was infected (if they were using Linux to package it, files beginning with a period are hidden) and just sent it out that way. They likely only ever needed to tweak the config file and change the bin files, they likely never even checked the executable itself. Just changed out the instructions in config . ini and switched the bin files, and copy pasted the rest. Stolen code is pretty common on cheaper Chinese OEMs, and a lot of Chinese companies run Linux.
Even as a Linux user, I have to be aware of every. single. site...! Even with NoScript in Firefox... You always have to be vigilant no matter what. Supply chain attacks... Now I know.
Update: As anticipated, Sabrent removed the files (apparently within minutes of the video going up). They posted an update in the reddit thread here (comment directly linked): www.reddit.com/r/SomeOrdinaryGmrs/comments/1c3uvop/sabrent_hosting_malware/kzkwcm3/
It could be a supply chain attack where the one of the suppliers of the USB chip software got compromised who then passed on the bad firmware update to the hub manufacturer and so on. Though that would still leave the question why the filename on the download page was different from the one actually downloaded. In any case it's a shame and surprise the malware took so long to be fully recognized for what it is. Hopefully we'll see some updates in the future after Sabrent figures out what happened. And hopefully, if indeed any other companies sourcing updates from the same supplier have been affected, it gets discovered quickly.
strange how companies do not really get anything done till it goes up as news on youtube with users having >1M subs inspite of being aware of it
Just insane how a big company like sebrent after the first malicious file which they responded to didn't then look into more of there files it's a very big concern to have a Trojan in your firmware updates
I worked for many companies as a software engineer, any kind of uploads/downloads are always being scanned with anti varus modules, this is pure incompetence and a sign of lack of security mindset at the company.
we all love running CCP malware from and official firmware update website :\D
@@MetsLand In the post, it mentions that they did respond and that it was a possible supply chain attack. They couldn't have known unless they personally ran them, in which even HP doesn't. But yes, a major security issue.
Extra scary whenever you can download from official sites and still get malware
Beware of sites like CNET too.
@@sr2291, oh yeah, they always sketch me out. I'm usually worried about hidden bundleware or adware with those kinds of sites.
Supply Chain Attacks are where threat actors have started to pivot. The recent one for the compression libraries in Linux is another example.
if you use GNU/Linux-libre then this attack can't happen to you due to the lack of closed source firmware. yes someone called Jia Tan did TRY to hack the planet in a way that bypassed that but because of the overwhelming power of open source software, he was immediately caught and stopped
I'm scared, please hold my hand!
The fact they did not investigate all their download files speaks volumes about the integrity and/or intelligence of the techs at Sabrent. They should have taken the website offline until cleaned and protected.
Exactly! I suspect that it was someone at Sabrent who got the legit files and attached a RAT. Either that or some CCP spy. Either way, I will be avoiding Sabrent like the plague.
my guess is that they have a ton of disorganized overseas employees and one of their employees is misbehaving but they cant figure out who yet
Yea that’s pretty concerning considering there’s only about 250 downloads listed and half of them are just user manuals. Wouldn’t have been hard to look through all the installers
@@ThioJoe Unfortunately, this isn't the first time an official site has had this issue. A while back, there was a Minecraft mod site having similar problems
It's not just the time or effort, they should feel responsible enough to cut the site until they figure out where the malware files came from.
Just checked and it's still up and decided to do some analysis in a VM. It starts off installing itself into the program data folder and sets itself to run on startup. That WOULD be pretty easy to remove, but, the scary part is, is that appends itself onto lots of random exes in the system and user directories! Luckily, it's easy to spot because the metadata of the infected programs is also replaced. But wow, I haven't seen a virus infect other exes for a while, I think it's most common nowadays to just take the user data and run at startup without touching other things.
wow that reminds me of those MS DOS viruses in the 90s and stuff lol
Sheesh
Lol nice
classic trojan... that it weird that someone would use such an easily detected/removable piece of trash like this in 2024... but do we know what it does?? is it a key logger and sending it back to base?? did you check to see if it opened any network connections?
if i had not watched the video i would have guessed someone at sabrent got infected and it spreadits way into the file.
Sabrent is now saying that a cloud backup "accidentally' placed the malware back on their server. Either these guys are totally incompetent or extremely careless. This is not a good look for a tech company.
I vote for incompetent
I think the cloud backup restoring them is actually likely. I found the reddit post and they updated it, they said it is a supply chain attack and could affect other manufacturers.
@@HexcedeI don't know if I can believe that "it was a supply chain attack", that would mean Sabrent got infected firmware from a 3rd party and simply put it on their site, they did no testing of said firmware, and Sabrent also would have had no antivirus or security software running to detect it if it was ever opened, and on top of that the filename of the download is wrong.
Seems like a deflection to me... It has to be internal, or they are claiming some heavy duty incompetence at many levels!
looks very intentional to me, esp. given after they acknowledged the issue, still didn't remove or even check for all of the infected files on their "official" website - better stay away from such companies, miles away
Both incompetent and careless.
Having a virus on a commercial download page is sloppy, but it can happen. Failing to take action and needing to be prompted is inexcusably shameful. Having the virus propagate through their corporate system and appear in other downloads and Sabrent NOT being aware let alone catching it is incompetence and negligence. This is one of the ways you can identify a low quality company.
some hardware companies are completely clueless about security, TCP/IP networking and software in general outside of their own niche drivers and firmware. this should be a wake up call for them to hire more security researchers
It's a pity as they had some good products
To me the worst part was their support telling someone it was a false positive, despite clearly having no idea
Sabrent are dodgy. The warranty registration form I filled in a couple of years back required an invoice be uploaded as proof of purchase. I received an email confirmation with an unauthenticated public link to the uploaded invoice from a non-Sabrent tenant, and when i asked Sabrent to remove the public file stored in an S3 bucket they claimed they had no control of it and didn't know how it got there.
Their products aren't terrible, but the company is a shambles.
Someone at the company got pwned or this is a deliberate action by someone at the company. Either way Sabrent needs to assume everything is suspect until independently checked. This isn't a false positive.
It would also be possible that there is rouge employee doing this on their own, though that is not very common
@@Octahedran Maybe the same person that's supposed to prevent this is the one doing it. That's why they refused to do anything after the community manager raised the alert.
Perhaps China wants to spy on us thru a US proxy.
@@Octahedran I like when typos add a little bit of levity to a serious matter. Yours does exactly that. A 'rouge' employee versus a rogue employee. The employee was probably a little red in the face for some reason and decided to go rogue. Again, I am not trying to be the spelling police.
This is exactly why MD5 hashes are listed on websites besides the files and why people should be double checking and verifying things like this. HOWEVER....:
- If an attacker can fake the file, can't they fake the hash?
uhhh no
Only if they also control the website
That's why I always scan the executables on VT no matters where I download them.
Also, be careful with people telling you "It's just a false positive", if VT is detecting your file as malware on 50 different antivirus engines, maybe it's not a false positive...
What's VT? I have legit nver heard of it.
@@dragon1130 Virus Total
@@dragon1130 virustotal
@@dragon1130 virus total. It's a website.
@@dragon1130VirusTotal
8:14 I translated using DeepL and this is what I got: FW Burning Procedure
Double-click on the mouse to open 1, 2, 3; and
Second, mouse click 4;
No. 5 as shown in the figure to choose;
No. 6 mouse click the arrow pointed [...] respectively
No. 7 according to the figure prompted to select the BIN file.
The 8th mouse click can be.
I can read Chinese, the translation is largely accurate.
So is the maleware taking control of your mouse to do somehting?
@@dragon1130 No its just insturctions
@@dragon1130 These are legitimate instructions on how to flash the firmware. The person who created those instructions is probably not the one who created the malware.
Thanks for getting the word out on this. Sabrent replied to my Reddit message right after this video went up. It appears to be removed.
For those asking about why a HUB would need a firmware update. My friend (the author of the email) could not use a thumb drive plugged into the HUB. He was getting a not enough power warning. This was something I saw people running into in the amazon reviews and stating that there was updated firmware to fix it. So, the HUB was basically unusable with a storage device from the factory.....the fix for that issue contained a RAT from the same factory it seems.
Sabrent's download site runs on WordPress - my guess is that someone isn't maintaining that instance and messed up real bad.
Edit: Incidentally, Elementor had a major security issue at the start of the year (8th of Dec), where you could upload malicious files etc. from the HTML source code, this downloads site is indeed using Elementor, and they're a little bit behind on their updates.
Thank you for this confirmation and warning! A couple weeks ago I was in a back-and-forth email argument with Sabrent US Support. Long story short, I just ended up returning the products and went with another brand. The references to "false-positives" were constantly mentioned. Buh-bye Sabrent.
I've had a similar issue with them, except instead of having a back and forth fight with their "support," I had to wait 3 days for an email response regarding Windows 11 support/drivers for a USB floppy drive. All I got was them telling me it was old. Thank God I didn't have to pay for the damned thing and got it from a company that wasn't using it anymore. I'll be going with a VAIO USB drive from now on.
Gigaredflag should be in the dictionary 😉
Oh yes, the joys of outsourcing production to China and then third party Chinese factories and then doing perfunctory safety checks and not even using standard safety tools that someone who took CompTIA security plus could do. And then they did absolutely no internal checks for a month? Smh
as a consumer owning multiple sabrent products... the sheer fact that this wasnt addressed months ago as evident by the posts shown in the video is deeply concerning. its been months.. months by the timestamp shown on that tomshardware post and because videos are being made about it either that or the reddict account took wind of this video are in full dmg control. meanwhile there is no news story about this let alone any worrying traction.
reputation has essentially went down the gutter
They finally took action (not too long ago) and took (I assume) all of the infected files down. Over half a year later they finally did something. Very telling.
8:14 Install Google translate on your phone, point your phone’s camera at the monitor (can also be used to read foreign characters on other mobile devices e.g. tablets). Zoom in on the text on the source device if the translation doesn’t quickly appear. Move your phone physically in/out left/right, up/down if the translation doesn’t make sense as it might not have picked up smaller parts of some characters. Generally pretty accurate to get the intent behind what was written.
Paraphrasing, this says FW burning instructions. Bottom says to click steps 1, 2, 3.
So Saberent has known for a few weeks but still had not removed the files speaks volumes.
Basically Saberent is saying don’t buy our products !!!!
Time to get rid of my Saberent products
thats a bit drastic..
@@IceWolf1102 not really. they have very clearly shown that they are not trustworthy
@ThioJoe
The Chinese text says the following.
114A Programming Tools and Bits
In the file structure going from top to bottom, it says Folder, Configuration Settings, App, Application Extension, Application Extension, Application Extension.
Hope that helps. or at the least shines a light. Thanks for this video. Good job 😋👍
8:47 those chinese looks like instructions for a "114a burning tool" (burning as in burning a disk in the CD era, similar to how you could make a usb stick to install windows these days) for buring FW(which i assume is the short for firmware). this could be something they forgot to remove, not inherently malicious, but could be used to do malicious things, or do it unknowingly, if they got malicious files handed over to them by someone else, which could also be the case since leaving it in is pretty incompetent -- sorry i couldnt provide more since i had no idea there are even fgirmwares for usb hubs before watching this video
It is about burning firmware. Even if these use flash memory these days and not actual EEPROMs, the term is still being used. It looks like legit instructions from whoever made the underlying hardware and supplied to the vendor of the USB hub, but most likely it should not have shipped with the firmware update as-is.
*This is REALLY disappointing. : ( The fact that the site/URLs was (& still is?) accessible for several hours doesn't look good at all in re: to Sabrent's business practice priorities.*
*_Going forward, I will definitely now think twice about buying anything from Sabrent. BTW, I own a handful of their products. Thanks for the heads up, Joe! 👍🏼_*
Fire the entire update team from sabrent
Surprisingly, it turns out that's probably the most dangerous course of action to take in this circumstance.
Let's say this whole thing ends up costing them 5 million in revenue. That's a very costly lesson, but the lesson is learned, and the person who made the mistake will be on the lookout for this sort of attack for the rest of his career, and be the biggest advocate for security.
If you keep him, you just spent 5 million training your security analyst.
If you fire him, you just spent 5 million training your competitor's security analyst.
Also, the whole team? Regardless of who made a mistake? The Geneva Convention doesn't really apply to corporations, but I'll go out on a limb and say a company probably shouldn't do things that the Geneva Convention classifies as war crimes.
@@OhhCrapGuy No.
the one who didn't order to make sure all files are what they were was the boss
if he is not fired for this he has no reason to change anything and the thing will repeat
Oh he can punish someone whos responsibilities didn't include checking for security.
I cannot, they don't work for me.
Just got that exact usb hub and was about to download firmware and I saw this, you’re a LIFESAVER!!! W as always :)
What benefit does the new firmware provide? Does it hub better?
@@Fladelerium No idea but it works fine so I won't update it unless it stops working
I actually got a Sabrent product from Amazon and I didn't know that there's malware in the firmware files. I am hoping that Sabrent does take down those files and investigate how those files ended up on their website.
Guess the company has been hacked. How else do you change out the official firmware update.
Could be an inside job, or some sort of social engineering attack.
Supply chain attack. If they aren't the ones that write the firmware for their devices, then the Chinese company that did provided infected firmware. They trusted it at face value (foolish) and uploaded it to their website. That's the most likely reason, but we'll likely never know the details.
My first thought was that the Sabrent "support" web page was also hacked and the contact number was changed. Bold ? Yes.
Windows does have the capacity to download driver updates automatically now, right? What's the chance that this is affected by that, too? If they're allowing unsigned binaries to be delivered through Windows Update, that's even more cause for concern.
Microsoft requires drivers to be signed and firmware aint the same thing anyway
Firmware is in device and driver is within windows
@@commanderoof4578 Ah, right, good point. That completely flew past me
@@commanderoof4578 Firmware gets stored on memory within hardware. Like little flash memory chips embedded in PCBs. Drivers will get stored on your ssd or hard drive permanently.
microsoft has already been infected, so the chance is essentially 100%.
@@commanderoof4578/ Some OEM laptops deliver firmware updates via Windows Update server, so yeah it can happen. Although, I doubt it does for peripheral firmwares.
i think i might be just dumb but, why does a USB Hub need firmware updates?
Well, it doesn't. But, apparently the company fixes minor bugs, functionality, & performance. In theory anyways. I never personally felt a need to update my hub firmware & honestly I'm finding it more surprising that people do this than I am about the supply chain attack.
Sabrent doing what all commercials seem to do when informed of "bad files" they go straight into head-in-sand mode.
Would love to see John Hammond pick it apart to see what it's doing under the hood.
Make sure to comment so you can get this video out.
Chinese malware that makes remote connection to your device. What a surprise! Who would expect that? ;)
Jia Tan just tried to help out lol
you think the NSA doesn't do this? or does not pretend to be chinese or russian?
@@joedoe3688 They don't have to. Microsoft has built-in back doors specially added just for them.
@@joedoe3688 Sure, it was probably the NSA who did this. 🙄🤦♂️ If you believe that I have a bridge to sell you.
Thank you for covering this!
The FW text has been covered, and most of the instructions are just double click here, select this. What is the program itself, though?
I don't know if I should be glad or upset that my habit of scanning every single file multiple times is justified.
Both. Both is good.
What do you use to scan
Why don't they have antivirus software on their servers checking for malware and viruses. Should have all files taken down and renew all files after scanning all of the server.
Yikes, perhaps someone has breached their server?
Ya DarkComet lets you bind the original file to the RAT. Thats why you will see the config. modified you technically don’t need it but they did modify that one also to assist in the infection.
Gee .. I wonder where the manufacturer is located that created these infected files & promised Sabrent they were safe? I can't imagine ..
Yep, as soon as I saw that they had offices in China, it all made sense.
Official sites distributing malware!!! My disappointment is immeasurable and my day is ruined.
The chinese text "FW ([][][][])" = FW (steps to burn)
A another day of malware
supply chains attacks aren't anything new, it's been a thing for quite a long time now. The only difference is, that supply chain attacks have become significantly more scalable compared to 10 years ago.
Considering, a very important linux "part" was literally hijacked via social engineering and installed malware into it, and the only saving grace was the MS employee checking SSH lag time. The shadow war is intensifying.
What can we expect from company that only sells oem products from china? And as it seems they do not even check files provided to them by the manufacturer (like spyware from china never happened before.. sure) initially I thought that the website was compromised, but 90% that it's not, cause they'd most likely replace all files with malware, or at least more popular ones. And the last question I have is: "why you even make usb hub that needs its firmware to be updated, or bricked?" Device that vasically have one function and for decades has no accessble firmware, now needs one and have gliches..
At this point I'd hold responsible the persons that said the downloads were safe. That should teach'em to investigate before commenting.
I think Sabrent was hacked, so don’t trust any downloads from them for now.
It's a good thing there is no dire need to update Sabrent firmware at the moment. If they had bugged firmware like some variants of the MX500 or early 990 Pros this could be much worse.
Scrumptious. Smells like they outsourced to a hacker to me. Or the coder was hacked and replaced files. I wonder if we'll ever know?
It's not that complicated really. Sabrent probably got their servers hijacked and they haven't realized it yet. I'm sure that's how I got
I want to personally thank you for this.. I almost went ahead and installed the HB-PUB-7 Driver on my pc
You don't need a driver for a hub. Windows all the way back to XP already has built-in drivers.
Never download the latest update in first 5 days of its release be it from Nvidia, Apple or Microsoft or Google or any xyz company except the antivirus updates (which you have no control though).
These companies OS / App / plugin updates were historically always unstable, rushed to release (to impress their shareholders) and damaged integrated hardware. Yes I am saying this since I owned Windows-95 or iOS 5 and even today I stick to my rule and avoided these costly mistakes. And I work in tech and unfortunately a part of the rush update pusher as well ☹️
wait there is firmware for usb hub lol ... mine one just plug and play and it worked ( which is actually good thing as having to update firmware for every device could be risky as it may cause issues or worst case scenarios HAVE VIRUS IN IT xD )
Wow one of the things you posted was 5 months ago. This has been going on for a while yikes!
You dont update the drives that way anyway
Use the sabrent control panel
I just have a single question: why would a USB hub need a driver update?
Never ever ever buying a sabrent product. This is pure negligence
Or you could just not update the firmware. It’s not like the product is non-functional without the update.
@@NinjaRunningWild Having a virus masquerading as a firmware updater on your official site is not a good look and raises many questions. How did they not notice? Do they even check the stuff they upload onto their website? It's a sign of either negligence, incompetence, a malicious actor, or a mixture of all three.
That said, the VAST majority of users will not be effected, given that most users don't even know that SSD firmware can be updated. Sabrent also doesn't have bugged SSDs like the Micron/Crucial MX500 and Samsung 990 Pro as far as I know. I had to install and tolerate Crucial Storage Executive since my MX500 came with bugged firmware that GREATLY increased drive wear.
their website probably got some vulnerability that let's others hijack the upload file page or the download page itself
...I've been downloading their firmware for the NVME enclosures
Am I at risk now?
Is sabrent Chinese?......... they seem to have an office there but also appear to make themselves look to be an American based company in LA........... they I believe are in shenzen china
Thanks for the warning!
Why do we need a firmware update for an USB hub in the first place?
This company sounds shady enough to do something like this anyways
I wonder does this affect the firmware that is updated (does it infect the device) or only the os and machine you're using to apply the firmware update?
I also noticed a month or so ago... Sabrent's SSC (Sector Size Converter) also gets flagged as malware
honestly i wasn't even aware that updating a usb hub was a thing aren't they supposed to be just dummy devices what is this do saberent usb hubs have bluetooth or some smart function like turn of the light
Am I the only person who if they had money just download all the viruses he tells us to avoid? 😂
Why tho 💀
@@ThioJoe probably curiousity
@@ardishco Nah, just cuz I want to 🤣
If you had money before downloading rando viruses, youd soon have a much lighter wallet when they hack/scam you
then you would no longer have that money
Maybe sabrent's official website got hacked
I work for an msp and several of our clients use these hubs thank you so much for this video i have work to do now wiping there machines as a just in case along with any usb sticks they may be using
I started using my laptop for gaming and shopping only because I'm scared of getting viruses and breaking my laptop so I don't download much stuff other than games and drawing programs
I'm wondering if other hub, USB, external type devices could also be compromised. I've had a 2-slot Rocket Stor hub 'toaster' for years. Never updated the firmware, or even thought too. Scary stuff.
Why the heck does a USB HUB has any firmware in the first place?!
Very interesting.. Thanks for sharing.. Similar to the Solarwinds issue where hackers injected malicious software alongside legitimate software on companies official download site. Even if you follow all the best advice you may still get caught out !
Man u should pay attention to official websites now
why would a usb hub need firmware update, this is getting ridiculous
Perhaps just looking for an alternative to Tik-Tok ?
Why I ALWAYS scan downloads no matter where there from
They seem to have taken it down now
I'm just wondering... how does this even happen???
But why do you update firmware for a USB Hub? I always thought those were mostly passive stuff with generic drivers. Also "Deatil Levle" on that config.ini file is suspicious but maybe generic typo too.
It feels to me the company who OEMd the hub itself sent the malware either unknowingly or is trying to steal bank details to make a quick buck.
Definitely serious and a corporate website needs to be alerted to clean their website immediately!!
10:50 and Linux requires your drivers to be signed too IF you have secure boot enabled. but if you're able to disable secure boot in your motherboard settings, then it's no longer required for drivers to be signed on Linux. so i guess the same thing applies to Linux as Windows since enabling unsigned drivers is a similar low level setting in Windows
This is a textbook example of a supply-chain attack. Reminds me of Solarwinds and 3CX.
Yeah it’s pretty clear that someone got into the OEM manufacturer’s developer computer and set up a self propagating Trojan. They didn’t do any scanning, and the rebranding seller didn’t bother checking the files. I’d bet without a doubt the problem will be present on all files provided by that particular OEM.
What would be more scary is if this were deliberate. But chances are the OEM downloaded an infected cracked program to burn the Firmware ROM files, knew nothing of the fact that it was infected (if they were using Linux to package it, files beginning with a period are hidden) and just sent it out that way. They likely only ever needed to tweak the config file and change the bin files, they likely never even checked the executable itself. Just changed out the instructions in config . ini and switched the bin files, and copy pasted the rest. Stolen code is pretty common on cheaper Chinese OEMs, and a lot of Chinese companies run Linux.
Supply chain attacks are really scary!
Messing your upload schedule for malware is a W 🎉
Well i kinda messed up my upload schedule myself for the past several weeks anyway 💀
@@ThioJoe real💀, btw I love your content I am inspired by your work and am aiming to become a future software engineer
I will be surprised if sabrent wont make any significant changes on how they manage their websites. Very dangerous.
Now that's dedication, Thanks man! ❤
nah jit im screwd
spearfishing attack is motlikly the issue
It's everywhere no where is safe
5:39 Chicken!
Thanks for this excellent analysis
Do we know what the virus does??
My question is why does a USB hub need a firmware update?
3 views and 12 comments, and 23 likes? This defies logic
It's because Google takes more time to validate views.
Welcome to the matrix
the only unsigned driver ive installed was for a ps2 eye toy camera.
So for like an emulator? I imagine pcsx2
chinese words means chinese hackers
Thank you man ❤❤
More than one update hacked; Sabrent is toasted, they won't last another year....
Even as a Linux user, I have to be aware of every. single. site...! Even with NoScript in Firefox... You always have to be vigilant no matter what.
Supply chain attacks... Now I know.
I found this video when I was looking for drivers for my floppy drive.