Tech News

WD My Book Live NAS devices are being reformatted remotely

Nothing is scarier than the idea of losing years’ worth of data in a blink of an eye, whether through the loss of physical storage or, in this case, the deletion of said data. Owners of Western Digital’s old My Book Live storage are unfortunately living that very nightmare as they suddenly discover their external drives wiped clean. It turns out they may have been the victims of a malicious hacker that simply deleted their data, no ransoms asked.

WD has made several popular My Book external storage solutions, but the My Book Live became popular for one unique feature. It connected directly to a router via an Ethernet cable, allowing owners to access data from the driver wirelessly, even remotely. Of course, that also comes with a higher risk of getting compromised by remote attackers, which may be what happened here.

WD My Book Live owners around the world are expressing panic and despair in finding their precious NAS devices empty of data they have accumulated over the years. Some reported it happening overnight while others were not at home when the wipe began. One user was able to find out that affected My Book Live devices most likely went through a factory reset that deleted all their data. The question is who initiated that process.

Unlike other NAS devices, the My Book Live can only be accessed remotely through Western Digital’s cloud servers. That led to suspicions that WD’s security was compromised, leading to this attack on users. The company is investigating the incident but reports that it has no evidence of a security breach on its part. Instead, it blames the incident on threat actors targeting random individual users.

All that WD can advise the remaining unaffected owners of the My Book Live is to unplug their devices from the Internet, effectively reducing them to local storage. The company has discontinued the drive in 2015 and hasn’t released any software updates since then, so it might not be in a rush to patch whatever vulnerability led to this incident. Unfortunately for those whose data has already been erased, there’s no turning back the clock if they didn’t have backups.

Repost: Original Source and Author Link

Tech News

Western Digital drives remotely wiped: What experts say to do now

Owners of some Western Digital external hard drives should disconnect them from the internet and probably turn them off completely, as reports of remotely wiped data continue. The drive-maker confirmed last week that some owners had seen their network-connected storage accessed unofficially and a complete reset triggered, though details on just how much people should be concerned continue to emerge.

The affected drives, Western Digital says, are the WD My Book Live and WD My Book Live Duo. They were first released in 2010, and received their last firmware update in 2015. The company has not said how many are in circulation, nor given an estimate on how many people are still using their drives.

“Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability,” the company said in a security bulletin. In some cases, the attackers have triggered a factory reset that appears to erase all data on the device.”

Western Digital insists that there’s no current evidence that its own cloud services, firmware update servers, or customer credentials were compromised. Instead, it suggests, the My Book Live drives were left directly accessible via the internet, “either through direct connection or through port forwarding that was enabled either manually or automatically via UPnP.” Hackers then used port scanning to spot potential victims, the company theorizes.

“We do not yet understand why the attacker triggered the factory reset; however, we have obtained a sample of an affected device and are investigating further,” Western Digital added. “Additionally, some customers have reported that data recovery tools may be able to recover data from affected devices, and we are currently investigating the effectiveness of these tools.”

While Western Digital recommends owners disconnect their drives from the internet for safety, the suggestions over among users at Reddit is more cautious still. There, the advice is to turn the drives off altogether, on the assumption that hackers could have already loaded a trojan or some other exploit on there. That might then be scheduled to activate, wiping the drive even if it’s not online at the time.

Although doing that would mean no access to files – and would run counter to inclinations among owners to make a second backup of what’s on the My Book Live drive as soon as possible – it’s likely to be the safest route as further investigation continues.

For those who do want to try to extract what data might remain after a full reset wipe was initiated, the Reddit thread also includes plenty of discussion about which are the best tools for that. It’s unclear just how effective – or consistently effective – they are at this stage. Unless you’re familiar with data recovery software, it might be best to sit it out until Western Digital comes up with an official route to follow.

More broadly, anybody relying on networked drives should probably take a moment to consider their security settings. Open ports, set up through a router or cable modem, are an obvious point of entry for hackers, though many connected hard drives also have some sort of remote access software that relies on a username and password to make logging in while away from home more straightforward. If that’s the case, now would be a good time to check the strength of that password, in addition to enabling two-factor authentication if offered. Or, indeed, to consider whether or not you actually need the drive to be online in the first place.

Repost: Original Source and Author Link


The FBI is remotely hacking hundreds of computers to protect them from Hafnium

In what’s believed to be an unprecedented move, the FBI is trying to protect hundreds of computers infected by the Hafnium hack by hacking them itself, using the original hackers’ own tools (via TechCrunch).

The hack, which affected tens of thousands of Microsoft Exchange Server customers around the world and triggered a “whole of government response” from the White House, reportedly left a number of backdoors that could let any number of hackers right into those systems again. Now, the FBI has taken advantage of this by using those same web shells / backdoors to remotely delete themselves, an operation that the agency is calling a success.

“The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path),” explains the US Justice Department.

The wild part here is that owners of these Microsoft Exchange Servers likely aren’t yet aware of the FBI’s involvement; the Justice Department says it’s merely “attempting to provide notice” to owners that they attempted to assist. It’s doing all this with the full approval of a Texas court, according to the agency. You can read the unsealed search and seizure warrant and application right here.

It’ll be interesting to see if this sets a precedent for future responses to major hacks like Hafnium. While I’m personally undecided, it’s easy to argue that the FBI is doing the world a service by removing a threat like this — while Microsoft may have been painfully slow with its initial response, Microsoft Exchange Server customers have also now had well over a month to patch their own servers after several critical alerts. I wonder how many customers will be angry, and how many grateful that the FBI, not some other hacker, took advantage of the open door. We know that critical-but-local government infrastructure often has egregious security practices, most recently resulting in two local drinking water supplies being tampered with.

The FBI says that thousands of systems were patched by their owners before it began its remote Hafnium backdoor removal operation, and that it only removed “removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks.”

“Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” reads a statement from Assistant Attorney General John C. Demers, with the Justice Department’s National Security Division.

Today is Patch Tuesday, by the way, and Microsoft’s April 2021 security update includes new mitigations for Exchange Server vulnerabilities, according to CISA. If you’re running a local Exchange Server or know someone who is, take a look.

Repost: Original Source and Author Link


This incredible exploit could have let hackers remotely own iPhones without even touching them

Ever watch that movie, or play that video game, about the hacker who can instantly take over someone’s device without touching it at all? Those scenes are typically unrealistic as heck. But every once in a while, a real-life hack makes them seem downright plausible — a hack like the one you can see examples of in the videos above and below.

Today, Google Project Zero security researcher Ian Beer has revealed that, until May, a variety of Apple iPhones and other iOS devices were vulnerable to an incredible exploit that could let attackers remotely reboot and take complete control of their devices from a distance — including reading emails and other messages, downloading photos, and even potentially watching and listening to you through the iPhone’s microphone and camera.

How is such a thing even possible? Why would an iPhone even listen to a remote hacking attempt? According to Beer, that’s because today’s iPhones, iPads, Macs and Watches use a protocol called Apple Wireless Direct Link (AWDL) to create mesh networks for features like AirDrop (so you can easily beam photos and files to other iOS devices) and Sidecar (to quickly turn an iPad into a secondary screen). Not only did Beer figure out a way to exploit that, he also found a way to force AWDL to turn on even if it was left off previously.

While Beer says he has “no evidence that these issues were exploited in the wild” and admits it took him six whole months to sniff out, verify and demonstrate this exploit — and while it’s been patched as of May — he suggests we shouldn’t take the existence of such a hack lightly:

The takeaway from this project should not be: no one will spend six months of their life just to hack my phone, I’m fine.

Instead, it should be: one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they’d come into close contact with.

Eerie stuff.

Apple doesn’t dispute the exploit existed, and in fact cites Beer in the changelogs for several of its May 2020 security updates that are linked to the vulnerability. But the company does point out that most iOS users, by far, are already using newer versions of iOS that have been patched — and suggests that an attacker would have needed to be within Wi-Fi range for it to work.

You can read Beer’s lengthy explanation of exactly how the hack worked right here.

Update, 9:44 PM ET: Added Apple comment.

Repost: Original Source and Author Link