Thursday, December 5, 2024
HomeCVE/vulnerabilityHackers Use Western Digital My Book Zero-day Vulnerability to Mass-wipe Live Devices

Hackers Use Western Digital My Book Zero-day Vulnerability to Mass-wipe Live Devices

Published on

SIEM as a Service

Recently, Western Digital encountered a Zero-day vulnerability that has been identified as CVE-2021-35941. However, it is not the first when the hacker is targeting the Western Digital My Book Live NAS.

The researchers of Western Digital asserted that in addition to the previous vulnerability identified as CVE-2018-1847, the attackers came up with another vulnerability that generally enabled the hackers to carry out the mass-factory resets of devices leads to a huge amount of data loss.

After this attack, many customers of WD’s My Book Live had discovered a deletion of files and backups, along with the network storage appliance factory reset. 

- Advertisement - SIEM as a Service

Updates

Initially, on 26 June nearly at 8 pm after a proper investigation, WD’s My Book Live researchers affirmed that there may be multiple simultaneous attackers. 

Apart from this Censys also added the update regarding the discussed authentication code is in system_factory_restore.

They had also added updates to nearly all the findings from the My Book Live firmware, there was also an update about the threat actors control by password protecting the RCE.

After confirming the attack, the researcher of WD’s My Book Live added data on the discovery of the payload and soon it has been sent to My Book Live devices. Moreover, the experts also added a proper examination of the payload code and endpoint that they have found.

To perform factory resets hackers used Zero-day

According to the investigation, the experts opined that this vulnerability enabled via remote administration consoles, and it most probably needed an admin to authenticate themselves to the device.

However, it is not very difficult for the threat actors to execute this attack, because if the attackers could determine the correct parameters to the endpoint, they can easily execute a mass trigger of factory resets on the affected devices.

Battle for control of the NAS

The threat actors have been performing some malicious activity before executing this Zero-day vulnerability. According to the report, the hackers have used the old vulnerability that took place in 2018 CVE-2018-18472 to publicly expose the WD’s My Book Live, and later they can add them to the botnet.

The main motive of the threat actors for executing this vulnerability is that it will execute a command on the NAS device that will eventually download a script from a remote site and implement it accordingly. 

Recommendations

  • Initially separate the My Book Live device from your network.
  • After that make sure that the corporate resources that are used in home user sites are inured.
  • Lastly, Censys ASM will help you to find all the negotiated Western Digital My Book Live devices on the attack surface, just by filtering on the certificate fingerprint.

Apart from all these, the hackers who have exploited CVE-2018-18472 used the implemented code execution chance to modify the file named language_configuration.php on the My Book Live stack where the vulnerability endure.

The experts are yet trying to reach out to all the details regarding the vulnerability, and they declared that this attack has been carried out by different cybercriminal groups.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Cisco NX-OS Vulnerability Allows Attackers to Bypass Image Signature Verification

A critical vulnerability has been identified in the bootloader of Cisco NX-OS Software, potentially...

Deloitte UK Hacked – Brain Cipher Group Claim to Have Stolen 1 TB of Data

Brain Cipher has claimed to have breached Deloitte UK and exfiltrated over 1 terabyte...

Cloudflare Developer Domains Abused For Cyber Attacks

Cloudflare Pages, a popular web deployment platform, is exploited by threat actors to host...

Hackers Exploit Docker Remote API Servers To Inject Gafgyt Malware

Attackers are exploiting publicly exposed Docker Remote API servers to deploy Gafgyt malware by...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Cisco NX-OS Vulnerability Allows Attackers to Bypass Image Signature Verification

A critical vulnerability has been identified in the bootloader of Cisco NX-OS Software, potentially...

Google Chrome Security Update, Patch for High-severity Vulnerability

Google has released a significant security update for its Chrome browser, aiming to address...

Progress WhatsUp Gold RCE Vulnerability – PoC Exploit Released

A registry overwrite remote code execution (RCE) vulnerability has been identified in NmAPI.exe, part...