Imagine accessing your external hard drive and discovering that, all of a sudden, all the data stored there are gone. Many users of the lines My Book Live and My Book Live Duo, gives Western Digital, have gone through this recently. It wasn’t by accident or defect, but by attack: hacker exploited two flaws in these drives to remotely erase files stored on them.
In situations like this, two questions come to mind: how? It’s because? The first question has already been answered: an investigation has revealed that the firmware of the My Book Live and My Book Live Duo devices has a zero-day vulnerability, meaning that it is exploited before the responsible for the software releases a fix.
This failure allows the HDD to be reset to factory settings. This means that not only stored data can be erased, but also administrator settings, including set passwords.
Western Digital itself reported that the flaw was found in 2018 and identified as CVE-2018-18472. The problem is that the bug has not been fixed because the My Book Live and My Book Live Duo lines for NAS had their support cycle ended in 2015.
Here’s the effect: Last week, several users noticed that their hard drives from these lines were wiped. When they tried to login via browser in the admin panel, an “invalid password” warning appeared.
Not one but two zero-day failures
The problem didn’t end there. Investigations showed that a second zero-day flaw was exploited to attack vulnerable units. The most surprising part of the second flaw is that it could have been avoided much more easily than the first.
The My Book Live line allows the user to erase data or reset the device from remote commands. But, to avoid malicious actions, the instructions for this should only be executed after entering a password. This is standard behavior on any and every system — or it should be.
However, the investigation showed that some Western Digital developer commented on the part of the script that requires authentication, meaning that these lines have been disabled.
It was up to the attackers to figure out a way to remotely order the deletion of data from this breach. As the script that performs this task did not ask for a password, the attacks were carried out successfully, much to the dismay of the users.
The second fault was identified as CVE-2021-35941. In a note, Western Digital explained that the vulnerability has existed since 2011 — the My Book Live line was released in 2010 — and that the code snippet in question was disabled because the authentication instructions were directed to another script. The problem is that this script fails to trigger the password request.
The reason for the attacks is a mystery.
What motivated the attackers to attack these units? Nobody knows for sure. The mystery increases if we take into account that, in many cases, the two flaws were exploited, but only one of them would be enough for the hard drives to be erased.
A theory raised by security company Censys is that the actions are the result of a dispute between hackers. A hacker or group could have used the first vulnerability to control hard drives with the intention of using them in other malicious actions; another hacker or group could then have used the second bug to break that control.
This theory loses strength, however, if we consider that there is evidence that some attacks exploited the two flaws from the same IP address.
For victims of the attacks, Western Digital has promised to help them recover deleted files with data recovery services. The company has also promised to offer vulnerable drive owners a program that swaps these hard drives for current supported My Cloud models.
For anyone who owns a My Book Live or My Book Live Duo unaffected by the attack, the company’s instruction is rather obvious: disconnect it from the internet as soon as possible.
With information: BleepingComputer, Ars Technica.