Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->

MyBook Investigation Reveals Attackers Exploited Legacy, Zero-Day Vulnerabilities

A previously unknown flaw in Western Digital's older network-attached storage systems allowed unauthenticated commands to trigger a factory reset, formatting the hard drives, says the company after its preliminary investigation.

Unknown attackers targeted certain network-attached storage (NAS) systems made by Western Digital, exploiting a known flaw from 2018 and a zero-day vulnerability to compromise remotely accessible devices and delete data, the company stated in the initial results of its investigation published on June 29. 

The investigation discovered that attackers targeted two vulnerabilities in the firmware of My Book Live and My Book Live Duo devices, which were introduced into the market in 2010 and were last updated in 2015. The first vulnerability, reported in 2018, allowed attackers to run commands on a device with root privileges, while a second vulnerability gave attackers the ability to execute a factory-reset operation without authentication. In many cases, attackers installed malware on the devices by exploiting the first vulnerability, before deleting the drives via the second vulnerability.

Related Content:

Attacks Erase Western Digital Network-Attached Storage Drives

Special Report: Building the SOC of the Future

New From The Edge: 7 Skills the Transportation Sector Needs to Fuel Its Security Teams

Western Digital's security team analyzed log files provided by customers to understand the attack, finding that attackers scanned for vulnerable devices and then compromised them, the company stated in its advisory.

"The log files we reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries," the company stated. "Our investigation shows that in some cases, the same attacker exploited both vulnerabilities on the device, as evidenced by the source IP. The first vulnerability was exploited to install a malicious binary on the device, and the second vulnerability was later exploited to reset the device."

The results of the investigation come five days after Western Digital My Book users inundated support forums with complaints that their data had been completely deleted from their NAS systems. The attacks occurred on June 23 and 24, triggered a factory reset on many devices. Unlike ransomware attacks that encrypt data and demand a payment for the keys, the attacks do not appear to have a financial motive. 

The company warned that NAS systems either connected directly to the Internet or connected through port forwarding are vulnerable to exploitation.

"Our investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised," the company stated in its advisory. "As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning."

The vulnerabilities appear to affect only the My Book Live and My Book Live Duo NAS systems, although the original 2018 vulnerability report (CVE-2018-18472) also mentions that some models of WD My Cloud NAS may also be affected. 

"If you are using one of the above devices and they are connected on the WAN, make sure to remove your device from the internet," WizCase stated in its advisory for the vulnerability in 2018. "Make sure they are running only locally in safe network."

The previously undisclosed vulnerability, CVE-2021-35941, affects My Book Live and My Book Live Duo and is described as "an administrator API that can perform a system factory restore without authentication," according to its listing in the National Vulnerability Database.

The attackers launched automated scans from multiple IP addresses to trigger the vulnerabilities. On vulnerable and accessible systems, the attackers installed a Trojan on the systems in the form of a Linux binary compiled for the PowerPC architecture used by the My Book products. 

This is not the first time NAS devices have been targeted by attackers. In 2019, a ransomware gang targeted the users of QNAP Systems' NAS products using brute-force credential stuffing and known vulnerabilities to install the eCh0raix malware, which encrypts the data on the drives.

Western Digital urged users to disconnect the vulnerable storage systems from the Internet. The company plans to offer to recover the data of affected customers.

"For customers who have lost data as a result of these attacks, Western Digital will provide data recovery services," the company said. "My Book Live users will also be offered a trade-in program to upgrade to a supported My Cloud device. Both programs will be available beginning in July, and details on how to take advantage of these programs will be made available in a separate announcement."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file