Western Digital My Book Live Drives Attacked By New Exploit

Western Digital My Book Live was hit with an attack last week that led to countless drives being factory reset, resulting in petabytes of lost data. Originally, reports showed that the main attack exploited a security vulnerability from 2018, and although that is still one of the attack vectors, there was another one at play. And it came down to only five lines of code.

An investigation by Ars Technica revealed that a second exploit was at work in at least some of the affected drives. This second exploit allowed attackers to factory reset the drives remotely without a password. Curiously, the investigation revealed that five lines of code would have protected the reset command with a password, but they were removed from the running code.

Even stranger, this vulnerability wasn’t critical to the data loss. The original exploit (CVE-2018-18472) allowed attackers to gain root access to drives, stealing the data off of them before wiping the drive. This vulnerability was discovered in 2018, but Western Digital ended support for My Book Live in 2015. The security flaw was never fixed.

“We have reviewed log files which we have received from affected customers to understand and characterize the attack,” Western Digital wrote in a statement. “Our investigation shows that in some cases, the same attacker exploited both vulnerabilities on the device, as evidenced by the source IP. The first vulnerability was exploited to install a malicious binary on the device, and the second vulnerability was later exploited to reset the device.”

These two exploits achieved the same goal but with different means, leading an investigation from security firm Censys to speculate that they were the work of two different groups of hackers. The investigation says it’s possible that an original group of attackers exploited the root access vulnerabilities to loop the drives into a botnet (a network of computers that hackers can draw resources from). However, a possible second group of attackers came in and exploited the password reset vulnerability to lock out the original attackers.

The two exploits apply to My Book Live and My Book Live Duo storage devices. These drives give users a few terabytes of network-attached storage, which is why these attacks were able to happen in the first place. Western Digital says anyone with a My Book Live or My Book Live Duo should immediately disconnect the drive from the internet, even if it hasn’t come under attack.

Western Digital, a computer hard disk drive manufacturer and data storage company, is offering affected customers data recovery services, which will begin in July. A Western Digital spokesperson told Ars Technica that the services will be free. It is also offering customers a trade-in program to upgrade to a newer My Cloud device, though Western Digital hasn’t said when the program is launching.

Editors’ Choice

Repost: Original Source and Author Link

Tech News

Western Digital drives remotely wiped: What experts say to do now

Owners of some Western Digital external hard drives should disconnect them from the internet and probably turn them off completely, as reports of remotely wiped data continue. The drive-maker confirmed last week that some owners had seen their network-connected storage accessed unofficially and a complete reset triggered, though details on just how much people should be concerned continue to emerge.

The affected drives, Western Digital says, are the WD My Book Live and WD My Book Live Duo. They were first released in 2010, and received their last firmware update in 2015. The company has not said how many are in circulation, nor given an estimate on how many people are still using their drives.

“Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability,” the company said in a security bulletin. In some cases, the attackers have triggered a factory reset that appears to erase all data on the device.”

Western Digital insists that there’s no current evidence that its own cloud services, firmware update servers, or customer credentials were compromised. Instead, it suggests, the My Book Live drives were left directly accessible via the internet, “either through direct connection or through port forwarding that was enabled either manually or automatically via UPnP.” Hackers then used port scanning to spot potential victims, the company theorizes.

“We do not yet understand why the attacker triggered the factory reset; however, we have obtained a sample of an affected device and are investigating further,” Western Digital added. “Additionally, some customers have reported that data recovery tools may be able to recover data from affected devices, and we are currently investigating the effectiveness of these tools.”

While Western Digital recommends owners disconnect their drives from the internet for safety, the suggestions over among users at Reddit is more cautious still. There, the advice is to turn the drives off altogether, on the assumption that hackers could have already loaded a trojan or some other exploit on there. That might then be scheduled to activate, wiping the drive even if it’s not online at the time.

Although doing that would mean no access to files – and would run counter to inclinations among owners to make a second backup of what’s on the My Book Live drive as soon as possible – it’s likely to be the safest route as further investigation continues.

For those who do want to try to extract what data might remain after a full reset wipe was initiated, the Reddit thread also includes plenty of discussion about which are the best tools for that. It’s unclear just how effective – or consistently effective – they are at this stage. Unless you’re familiar with data recovery software, it might be best to sit it out until Western Digital comes up with an official route to follow.

More broadly, anybody relying on networked drives should probably take a moment to consider their security settings. Open ports, set up through a router or cable modem, are an obvious point of entry for hackers, though many connected hard drives also have some sort of remote access software that relies on a username and password to make logging in while away from home more straightforward. If that’s the case, now would be a good time to check the strength of that password, in addition to enabling two-factor authentication if offered. Or, indeed, to consider whether or not you actually need the drive to be online in the first place.

Repost: Original Source and Author Link