After multiple owners of Western Digital My Book external hard drives around the world were hit by a remote exploit that deleted all their data Western Digital issued a statement saying that hackers used an old 2018 vulnerability (CVE-2018-18472) to compromise WD My Book Live and My Book Live Duo devices.
However, an investigation conducted by Ars Technica and security researcher Derek Abdine has revealed that the threat actors exploited a zero-day vulnerability (CVE-2021-35941) in a file named system_factory_restore.
This bug stems from improper access restrictions to the administrator API and allows a remote non-authenticated attacker perform a system factory restore (deleting all data on the NAS device) by sending a specially crafted HTTP request to the exposed API.
In an updated statement Western Digital said that CVE-2021-35941 was introduced to the My Book Live in April of 2011 as part of a refactor of authentication logic in the device firmware.
“The refactor centralized the authentication logic into a single file, which is present on the device as includes/component_config.php and contains the authentication type required by each endpoint. In this refactor, the authentication logic in system_factory_restore.php was correctly disabled, but the appropriate authentication type of ADMIN_AUTH_LAN_ALL was not added to component_config.php, resulting in the vulnerability. The same refactor removed authentication logic from other files and correctly added the appropriate authentication type to the component_config.php file,” the company explained.
The investigation showed that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries. In some cases, hackers exploited both CVE-2018-18472 and CVE-2021-35941 to install a malicious binary on the compromised device and then reset the device.
In at least one case the attackers planted malware that makes a device part of the Linux.Ngioweb botnet.
In theory, CVE-2018-18472 should have given the attacker root access, so why would they use the unauthenticated factory reset vulnerability? The researchers speculate that mass-wipe and factory reset were carried out by different attackers.
“As for motive for POSTing to this [system_factory_restore] endpoint on a mass scale, it is unknown, but it could be an attempt at a rival botnet operator to take over these devices or render them useless, or someone who wanted to otherwise disrupt the botnet which has likely been around for some time, since these issues have existed since 2015,” Derek Abdine wrote in a blog post.