Thursday, March 28, 2024

Hackers Use Western Digital My Book Zero-day Vulnerability to Mass-wipe Live Devices

Recently, Western Digital encountered a Zero-day vulnerability that has been identified as CVE-2021-35941. However, it is not the first when the hacker is targeting the Western Digital My Book Live NAS.

The researchers of Western Digital asserted that in addition to the previous vulnerability identified as CVE-2018-1847, the attackers came up with another vulnerability that generally enabled the hackers to carry out the mass-factory resets of devices leads to a huge amount of data loss.

After this attack, many customers of WD’s My Book Live had discovered a deletion of files and backups, along with the network storage appliance factory reset. 

Updates

Initially, on 26 June nearly at 8 pm after a proper investigation, WD’s My Book Live researchers affirmed that there may be multiple simultaneous attackers. 

Apart from this Censys also added the update regarding the discussed authentication code is in system_factory_restore.

They had also added updates to nearly all the findings from the My Book Live firmware, there was also an update about the threat actors control by password protecting the RCE.

After confirming the attack, the researcher of WD’s My Book Live added data on the discovery of the payload and soon it has been sent to My Book Live devices. Moreover, the experts also added a proper examination of the payload code and endpoint that they have found.

To perform factory resets hackers used Zero-day

According to the investigation, the experts opined that this vulnerability enabled via remote administration consoles, and it most probably needed an admin to authenticate themselves to the device.

However, it is not very difficult for the threat actors to execute this attack, because if the attackers could determine the correct parameters to the endpoint, they can easily execute a mass trigger of factory resets on the affected devices.

Battle for control of the NAS

The threat actors have been performing some malicious activity before executing this Zero-day vulnerability. According to the report, the hackers have used the old vulnerability that took place in 2018 CVE-2018-18472 to publicly expose the WD’s My Book Live, and later they can add them to the botnet.

The main motive of the threat actors for executing this vulnerability is that it will execute a command on the NAS device that will eventually download a script from a remote site and implement it accordingly. 

Recommendations

  • Initially separate the My Book Live device from your network.
  • After that make sure that the corporate resources that are used in home user sites are inured.
  • Lastly, Censys ASM will help you to find all the negotiated Western Digital My Book Live devices on the attack surface, just by filtering on the certificate fingerprint.

Apart from all these, the hackers who have exploited CVE-2018-18472 used the implemented code execution chance to modify the file named language_configuration.php on the My Book Live stack where the vulnerability endure.

The experts are yet trying to reach out to all the details regarding the vulnerability, and they declared that this attack has been carried out by different cybercriminal groups.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles