Ukraine says hackers abuse SyncThing tool to steal data
https://www.bleepingcomputer.com/news/security/ukraine-says-hackers-abuse-syncthing-tool-to-steal-data/Open linkView original on sh.itjust.workshttps://www.bleepingcomputer.com/news/security/ukraine-says-hackers-abuse-syncthing-tool-to-steal-data/Open linkView original on sh.itjust.works
Got worried about a synching vuln, but no, they are just using it as a file transfer agent for their own malware.
Threat actor using software as intended.
Next article, "hackers abuse bash to list directory contents and write the output to a file."
Honestly, I didn't think about vulnerability in SyncThing when I read the article. But I wondered why defense forces would have p2p open on their networks.
When you say P2P you think torrents. But syncthing have rendezvou helpers to facilitate connections without seeing any data.
Not necessarily. Torrent is a way to find a peer for direct connection or via a relay (of course that is more than that). Syncthing, even using a relay server, requires some ports available for at least outbound connection (22000 TCP/UDP or whatever port the relay is using). This should not be possible in a medium security network, let alone a defense network. I don't know if syncthing works without a direct connection (to the peer or relay, something like transport via http proxy).
It does. It has hole punching incorporated into the protocol. So as long as it can get to the internet, it can use coordination servers and do double hole punching so that they can talk to each other
Interesting. I didn't know that syncthing does hole punching.
From a defense perspective, how would this work with an enterprise firewall, with UDP/TCP only allowed to specific destinations or specific sources. Example: only the internal DNS relay server can access 53/UDP and only the internal proxy server can access 80/443. What I mean is in a network with a very closed firewall, how would Syncthing be able to connect with peers?
Use... Not abuse.
I just lost a bunch of respect for bleeping computer
Oh no you lost respect because someone use the wrong word. My day is ruined that you lose respect. How will the world continue because [email protected] haves lost respect. Also they abused it because in the Eula you agree not to use their software in this manner. So they improperly used this software to exfiltrate data. I haven't seen you write your own articles either. Sorry let me not abuse you too much.
https://github.com/syncthing/syncthing/blob/main/LICENSE
The license does not restrict use of a file transfer protocol for file transfer. In fact it's the Mozilla public license. It's very permissive
Got to admit, your comment matches your username, kudos
The license clearly does not apply. Nice try though. I mean it does take some mental work to think synchthing permits this type of abuse. Wait is that too disrespectful?
If the license the code is published with doesn't apply, what license would apply?