Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/30/2021
04:20 PM
50%
50%

MyBook Investigation Reveals Attackers Exploited Legacy, Zero-Day Vulnerabilities

A previously unknown flaw in Western Digital's older network-attached storage systems allowed unauthenticated commands to trigger a factory reset, formatting the hard drives, says the company after its preliminary investigation.

Unknown attackers targeted certain network-attached storage (NAS) systems made by Western Digital, exploiting a known flaw from 2018 and a zero-day vulnerability to compromise remotely accessible devices and delete data, the company stated in the initial results of its investigation published on June 29. 

The investigation discovered that attackers targeted two vulnerabilities in the firmware of My Book Live and My Book Live Duo devices, which were introduced into the market in 2010 and were last updated in 2015. The first vulnerability, reported in 2018, allowed attackers to run commands on a device with root privileges, while a second vulnerability gave attackers the ability to execute a factory-reset operation without authentication. In many cases, attackers installed malware on the devices by exploiting the first vulnerability, before deleting the drives via the second vulnerability.

Related Content:

Attacks Erase Western Digital Network-Attached Storage Drives

Special Report: Building the SOC of the Future

New From The Edge: 7 Skills the Transportation Sector Needs to Fuel Its Security Teams

Western Digital's security team analyzed log files provided by customers to understand the attack, finding that attackers scanned for vulnerable devices and then compromised them, the company stated in its advisory.

"The log files we reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries," the company stated. "Our investigation shows that in some cases, the same attacker exploited both vulnerabilities on the device, as evidenced by the source IP. The first vulnerability was exploited to install a malicious binary on the device, and the second vulnerability was later exploited to reset the device."

The results of the investigation come five days after Western Digital My Book users inundated support forums with complaints that their data had been completely deleted from their NAS systems. The attacks occurred on June 23 and 24, triggered a factory reset on many devices. Unlike ransomware attacks that encrypt data and demand a payment for the keys, the attacks do not appear to have a financial motive. 

The company warned that NAS systems either connected directly to the Internet or connected through port forwarding are vulnerable to exploitation.

"Our investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised," the company stated in its advisory. "As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning."

The vulnerabilities appear to affect only the My Book Live and My Book Live Duo NAS systems, although the original 2018 vulnerability report (CVE-2018-18472) also mentions that some models of WD My Cloud NAS may also be affected. 

"If you are using one of the above devices and they are connected on the WAN, make sure to remove your device from the internet," WizCase stated in its advisory for the vulnerability in 2018. "Make sure they are running only locally in safe network."

The previously undisclosed vulnerability, CVE-2021-35941, affects My Book Live and My Book Live Duo and is described as "an administrator API that can perform a system factory restore without authentication," according to its listing in the National Vulnerability Database.

The attackers launched automated scans from multiple IP addresses to trigger the vulnerabilities. On vulnerable and accessible systems, the attackers installed a Trojan on the systems in the form of a Linux binary compiled for the PowerPC architecture used by the My Book products. 

This is not the first time NAS devices have been targeted by attackers. In 2019, a ransomware gang targeted the users of QNAP Systems' NAS products using brute-force credential stuffing and known vulnerabilities to install the eCh0raix malware, which encrypts the data on the drives.

Western Digital urged users to disconnect the vulnerable storage systems from the Internet. The company plans to offer to recover the data of affected customers.

"For customers who have lost data as a result of these attacks, Western Digital will provide data recovery services," the company said. "My Book Live users will also be offered a trade-in program to upgrade to a supported My Cloud device. Both programs will be available beginning in July, and details on how to take advantage of these programs will be made available in a separate announcement."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-33035
PUBLISHED: 2021-09-23
Apache OpenOffice opens dBase/DBF documents and shows the contents as spreadsheets. DBF are database files with data organized in fields. When reading DBF data the size of certain fields is not checked: the data is just copied into local variables. A carefully crafted document could overflow the all...
CVE-2021-34767
PUBLISHED: 2021-09-23
A vulnerability in IPv6 traffic processing of Cisco IOS XE Wireless Controller Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, adjacent attacker to cause a Layer 2 (L2) loop in a configured VLAN, resulting in a denial of service (DoS) condition for that V...
CVE-2021-34768
PUBLISHED: 2021-09-23
Multiple vulnerabilities in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected dev...
CVE-2021-34769
PUBLISHED: 2021-09-23
Multiple vulnerabilities in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected dev...
CVE-2021-34770
PUBLISHED: 2021-09-23
A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, remote attacker to execute arbitrary code with administrative privileges or cause a deni...