Unknown attackers targeted certain network-attached storage (NAS) systems made by Western Digital, exploiting a known flaw from 2018 and a zero-day vulnerability to compromise remotely accessible devices and delete data, the company stated in the initial results of its investigation published on June 29.
The investigation discovered that attackers targeted two vulnerabilities in the firmware of My Book Live and My Book Live Duo devices, which were introduced into the market in 2010 and were last updated in 2015. The first vulnerability, reported in 2018, allowed attackers to run commands on a device with root privileges, while a second vulnerability gave attackers the ability to execute a factory-reset operation without authentication. In many cases, attackers installed malware on the devices by exploiting the first vulnerability, before deleting the drives via the second vulnerability.
Western Digital's security team analyzed log files provided by customers to understand the attack, finding that attackers scanned for vulnerable devices and then compromised them, the company stated in its advisory.
"The log files we reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries," the company stated. "Our investigation shows that in some cases, the same attacker exploited both vulnerabilities on the device, as evidenced by the source IP. The first vulnerability was exploited to install a malicious binary on the device, and the second vulnerability was later exploited to reset the device."
The results of the investigation come five days after Western Digital My Book users inundated support forums with complaints that their data had been completely deleted from their NAS systems. The attacks occurred on June 23 and 24, triggered a factory reset on many devices. Unlike ransomware attacks that encrypt data and demand a payment for the keys, the attacks do not appear to have a financial motive.
The company warned that NAS systems either connected directly to the Internet or connected through port forwarding are vulnerable to exploitation.
"Our investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised," the company stated in its advisory. "As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning."
The vulnerabilities appear to affect only the My Book Live and My Book Live Duo NAS systems, although the original 2018 vulnerability report (CVE-2018-18472) also mentions that some models of WD My Cloud NAS may also be affected.
"If you are using one of the above devices and they are connected on the WAN, make sure to remove your device from the internet," WizCase stated in its advisory for the vulnerability in 2018. "Make sure they are running only locally in safe network."
The previously undisclosed vulnerability, CVE-2021-35941, affects My Book Live and My Book Live Duo and is described as "an administrator API that can perform a system factory restore without authentication," according to its listing in the National Vulnerability Database.
The attackers launched automated scans from multiple IP addresses to trigger the vulnerabilities. On vulnerable and accessible systems, the attackers installed a Trojan on the systems in the form of a Linux binary compiled for the PowerPC architecture used by the My Book products.
This is not the first time NAS devices have been targeted by attackers. In 2019, a ransomware gang targeted the users of QNAP Systems' NAS products using brute-force credential stuffing and known vulnerabilities to install the eCh0raix malware, which encrypts the data on the drives.
Western Digital urged users to disconnect the vulnerable storage systems from the Internet. The company plans to offer to recover the data of affected customers.
"For customers who have lost data as a result of these attacks, Western Digital will provide data recovery services," the company said. "My Book Live users will also be offered a trade-in program to upgrade to a supported My Cloud device. Both programs will be available beginning in July, and details on how to take advantage of these programs will be made available in a separate announcement."