Ukraine says hackers abuse SyncThing tool to steal data - eviltoast
    • dariusj18@lemmy.world
      link
      fedilink
      English
      arrow-up
      35
      ·
      5 months ago

      Next article, “hackers abuse bash to list directory contents and write the output to a file.”

      • Kid@sh.itjust.worksOPM
        link
        fedilink
        English
        arrow-up
        6
        ·
        5 months ago

        Honestly, I didn’t think about vulnerability in SyncThing when I read the article. But I wondered why defense forces would have p2p open on their networks.

        • slazer2au@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          5 months ago

          When you say P2P you think torrents. But syncthing have rendezvou helpers to facilitate connections without seeing any data.

          • Kid@sh.itjust.worksOPM
            link
            fedilink
            English
            arrow-up
            6
            ·
            5 months ago

            Not necessarily. Torrent is a way to find a peer for direct connection or via a relay (of course that is more than that). Syncthing, even using a relay server, requires some ports available for at least outbound connection (22000 TCP/UDP or whatever port the relay is using). This should not be possible in a medium security network, let alone a defense network. I don’t know if syncthing works without a direct connection (to the peer or relay, something like transport via http proxy).

            • jet@hackertalks.com
              link
              fedilink
              English
              arrow-up
              5
              ·
              5 months ago

              It does. It has hole punching incorporated into the protocol. So as long as it can get to the internet, it can use coordination servers and do double hole punching so that they can talk to each other

              • Kid@sh.itjust.worksOPM
                link
                fedilink
                English
                arrow-up
                2
                ·
                5 months ago

                Interesting. I didn’t know that syncthing does hole punching.

                From a defense perspective, how would this work with an enterprise firewall, with UDP/TCP only allowed to specific destinations or specific sources. Example: only the internal DNS relay server can access 53/UDP and only the internal proxy server can access 80/443. What I mean is in a network with a very closed firewall, how would Syncthing be able to connect with peers?

                • jet@hackertalks.com
                  link
                  fedilink
                  English
                  arrow-up
                  4
                  ·
                  edit-2
                  5 months ago

                  If the firewall was properly locking down servers to functions then it shouldn’t work. But if it has general Web access sync thing is very resilient

                  This is the reason people use sync thing and recommend it, it’s really hard to kill

                  • seang96@spgrn.com
                    link
                    fedilink
                    English
                    arrow-up
                    3
                    ·
                    edit-2
                    5 months ago

                    Bestbet would probably be block on an application level. I swapped to bitwarden since syncthing wasn’t liked by the AV on my work pc and I was using it to sync my password db.