Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->

MyBook Investigation Reveals Attackers Exploited Legacy, Zero-Day Vulnerabilities

A previously unknown flaw in Western Digital's older network-attached storage systems allowed unauthenticated commands to trigger a factory reset, formatting the hard drives, says the company after its preliminary investigation.

Unknown attackers targeted certain network-attached storage (NAS) systems made by Western Digital, exploiting a known flaw from 2018 and a zero-day vulnerability to compromise remotely accessible devices and delete data, the company stated in the initial results of its investigation published on June 29. 

The investigation discovered that attackers targeted two vulnerabilities in the firmware of My Book Live and My Book Live Duo devices, which were introduced into the market in 2010 and were last updated in 2015. The first vulnerability, reported in 2018, allowed attackers to run commands on a device with root privileges, while a second vulnerability gave attackers the ability to execute a factory-reset operation without authentication. In many cases, attackers installed malware on the devices by exploiting the first vulnerability, before deleting the drives via the second vulnerability.

Related Content:

Attacks Erase Western Digital Network-Attached Storage Drives

Special Report: Building the SOC of the Future

New From The Edge: 7 Skills the Transportation Sector Needs to Fuel Its Security Teams

Western Digital's security team analyzed log files provided by customers to understand the attack, finding that attackers scanned for vulnerable devices and then compromised them, the company stated in its advisory.

"The log files we reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries," the company stated. "Our investigation shows that in some cases, the same attacker exploited both vulnerabilities on the device, as evidenced by the source IP. The first vulnerability was exploited to install a malicious binary on the device, and the second vulnerability was later exploited to reset the device."

The results of the investigation come five days after Western Digital My Book users inundated support forums with complaints that their data had been completely deleted from their NAS systems. The attacks occurred on June 23 and 24, triggered a factory reset on many devices. Unlike ransomware attacks that encrypt data and demand a payment for the keys, the attacks do not appear to have a financial motive. 

The company warned that NAS systems either connected directly to the Internet or connected through port forwarding are vulnerable to exploitation.

"Our investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised," the company stated in its advisory. "As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning."

The vulnerabilities appear to affect only the My Book Live and My Book Live Duo NAS systems, although the original 2018 vulnerability report (CVE-2018-18472) also mentions that some models of WD My Cloud NAS may also be affected. 

"If you are using one of the above devices and they are connected on the WAN, make sure to remove your device from the internet," WizCase stated in its advisory for the vulnerability in 2018. "Make sure they are running only locally in safe network."

The previously undisclosed vulnerability, CVE-2021-35941, affects My Book Live and My Book Live Duo and is described as "an administrator API that can perform a system factory restore without authentication," according to its listing in the National Vulnerability Database.

The attackers launched automated scans from multiple IP addresses to trigger the vulnerabilities. On vulnerable and accessible systems, the attackers installed a Trojan on the systems in the form of a Linux binary compiled for the PowerPC architecture used by the My Book products. 

This is not the first time NAS devices have been targeted by attackers. In 2019, a ransomware gang targeted the users of QNAP Systems' NAS products using brute-force credential stuffing and known vulnerabilities to install the eCh0raix malware, which encrypts the data on the drives.

Western Digital urged users to disconnect the vulnerable storage systems from the Internet. The company plans to offer to recover the data of affected customers.

"For customers who have lost data as a result of these attacks, Western Digital will provide data recovery services," the company said. "My Book Live users will also be offered a trade-in program to upgrade to a supported My Cloud device. Both programs will be available beginning in July, and details on how to take advantage of these programs will be made available in a separate announcement."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.