Hackers Use Western Digital My Book Zero-day Vulnerability to Mass-wipe Live Devices

Recently, Western Digital encountered a Zero-day vulnerability that has been identified as CVE-2021-35941. However, it is not the first when the hacker is targeting the Western Digital My Book Live NAS.

The researchers of Western Digital asserted that in addition to the previous vulnerability identified as CVE-2018-1847, the attackers came up with another vulnerability that generally enabled the hackers to carry out the mass-factory resets of devices leads to a huge amount of data loss.

After this attack, many customers of WD’s My Book Live had discovered a deletion of files and backups, along with the network storage appliance factory reset. 

Updates

Initially, on 26 June nearly at 8 pm after a proper investigation, WD’s My Book Live researchers affirmed that there may be multiple simultaneous attackers. 

Apart from this Censys also added the update regarding the discussed authentication code is in system_factory_restore.

They had also added updates to nearly all the findings from the My Book Live firmware, there was also an update about the threat actors control by password protecting the RCE.

After confirming the attack, the researcher of WD’s My Book Live added data on the discovery of the payload and soon it has been sent to My Book Live devices. Moreover, the experts also added a proper examination of the payload code and endpoint that they have found.

To perform factory resets hackers used Zero-day

According to the investigation, the experts opined that this vulnerability enabled via remote administration consoles, and it most probably needed an admin to authenticate themselves to the device.

However, it is not very difficult for the threat actors to execute this attack, because if the attackers could determine the correct parameters to the endpoint, they can easily execute a mass trigger of factory resets on the affected devices.

Battle for control of the NAS

The threat actors have been performing some malicious activity before executing this Zero-day vulnerability. According to the report, the hackers have used the old vulnerability that took place in 2018 CVE-2018-18472 to publicly expose the WD’s My Book Live, and later they can add them to the botnet.

The main motive of the threat actors for executing this vulnerability is that it will execute a command on the NAS device that will eventually download a script from a remote site and implement it accordingly. 

Recommendations

  • Initially separate the My Book Live device from your network.
  • After that make sure that the corporate resources that are used in home user sites are inured.
  • Lastly, Censys ASM will help you to find all the negotiated Western Digital My Book Live devices on the attack surface, just by filtering on the certificate fingerprint.

Apart from all these, the hackers who have exploited CVE-2018-18472 used the implemented code execution chance to modify the file named language_configuration.php on the My Book Live stack where the vulnerability endure.

The experts are yet trying to reach out to all the details regarding the vulnerability, and they declared that this attack has been carried out by different cybercriminal groups.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Leave a Reply