Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->

MyBook Investigation Reveals Attackers Exploited Legacy, Zero-Day Vulnerabilities

A previously unknown flaw in Western Digital's older network-attached storage systems allowed unauthenticated commands to trigger a factory reset, formatting the hard drives, says the company after its preliminary investigation.

Unknown attackers targeted certain network-attached storage (NAS) systems made by Western Digital, exploiting a known flaw from 2018 and a zero-day vulnerability to compromise remotely accessible devices and delete data, the company stated in the initial results of its investigation published on June 29. 

The investigation discovered that attackers targeted two vulnerabilities in the firmware of My Book Live and My Book Live Duo devices, which were introduced into the market in 2010 and were last updated in 2015. The first vulnerability, reported in 2018, allowed attackers to run commands on a device with root privileges, while a second vulnerability gave attackers the ability to execute a factory-reset operation without authentication. In many cases, attackers installed malware on the devices by exploiting the first vulnerability, before deleting the drives via the second vulnerability.

Related Content:

Attacks Erase Western Digital Network-Attached Storage Drives

Special Report: Building the SOC of the Future

New From The Edge: 7 Skills the Transportation Sector Needs to Fuel Its Security Teams

Western Digital's security team analyzed log files provided by customers to understand the attack, finding that attackers scanned for vulnerable devices and then compromised them, the company stated in its advisory.

"The log files we reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries," the company stated. "Our investigation shows that in some cases, the same attacker exploited both vulnerabilities on the device, as evidenced by the source IP. The first vulnerability was exploited to install a malicious binary on the device, and the second vulnerability was later exploited to reset the device."

The results of the investigation come five days after Western Digital My Book users inundated support forums with complaints that their data had been completely deleted from their NAS systems. The attacks occurred on June 23 and 24, triggered a factory reset on many devices. Unlike ransomware attacks that encrypt data and demand a payment for the keys, the attacks do not appear to have a financial motive. 

The company warned that NAS systems either connected directly to the Internet or connected through port forwarding are vulnerable to exploitation.

"Our investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised," the company stated in its advisory. "As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning."

The vulnerabilities appear to affect only the My Book Live and My Book Live Duo NAS systems, although the original 2018 vulnerability report (CVE-2018-18472) also mentions that some models of WD My Cloud NAS may also be affected. 

"If you are using one of the above devices and they are connected on the WAN, make sure to remove your device from the internet," WizCase stated in its advisory for the vulnerability in 2018. "Make sure they are running only locally in safe network."

The previously undisclosed vulnerability, CVE-2021-35941, affects My Book Live and My Book Live Duo and is described as "an administrator API that can perform a system factory restore without authentication," according to its listing in the National Vulnerability Database.

The attackers launched automated scans from multiple IP addresses to trigger the vulnerabilities. On vulnerable and accessible systems, the attackers installed a Trojan on the systems in the form of a Linux binary compiled for the PowerPC architecture used by the My Book products. 

This is not the first time NAS devices have been targeted by attackers. In 2019, a ransomware gang targeted the users of QNAP Systems' NAS products using brute-force credential stuffing and known vulnerabilities to install the eCh0raix malware, which encrypts the data on the drives.

Western Digital urged users to disconnect the vulnerable storage systems from the Internet. The company plans to offer to recover the data of affected customers.

"For customers who have lost data as a result of these attacks, Western Digital will provide data recovery services," the company said. "My Book Live users will also be offered a trade-in program to upgrade to a supported My Cloud device. Both programs will be available beginning in July, and details on how to take advantage of these programs will be made available in a separate announcement."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-02-04
There are issues with the AGE drivers for Golang and Python that enable SQL injections to occur. This impacts AGE for PostgreSQL 11 & AGE for PostgreSQL 12, all versions up-to-and-including 1.1.0, when using those drivers. The fix is to update to the latest Golang and Python drivers in addition ...
PUBLISHED: 2023-02-04
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features. Upgrade to Apache Sling Ap...
PUBLISHED: 2023-02-04
hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.
PUBLISHED: 2023-02-04
Cross-site Scripting (XSS) - Reflected in GitHub repository phpipam/phpipam prior to 1.5.1.
PUBLISHED: 2023-02-04
Cross-site Scripting (XSS) - Reflected in GitHub repository phpipam/phpipam prior to v1.5.1.