Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Hackers exploit 3-years old flaw to wipe Western Digital devices

Threat actors are wiping many Western Digital (WD) My Book Live and My Book Live Duo NAS devices likely exploiting an old vulnerability. Owners of Western Digital (WD) claim that their My Book Live and My Book Live Duo network-attached storage (NAS) devices have been wiped. Threat actors forced a factory reset on the devices […]

Western Digital My Cloud

Threat actors are wiping many Western Digital (WD) My Book Live and My Book Live Duo NAS devices likely exploiting an old vulnerability.

Owners of Western Digital (WD) claim that their My Book Live and My Book Live Duo network-attached storage (NAS) devices have been wiped.

Threat actors forced a factory reset on the devices resulting in the deletion of all files.

“When I couldn’t access any of the 4 Network drives I created, I went to Network and double clicked on the MyBookLive Icon, which took me to the GUI page. A message popped up in the upper right that said the drive was factory reset. I wasn’t near my computer when this happened as the time stamp was earlier in the day. All WD is going to ask if we created a “Safepoint” which we could then recover the data from the last saved point. There has to be some “User Intervention” on WD’s part for this to happen to more than one person today.” reported a user on the WD Community forum.

“It is very scary that someone can do factory restore the drive without any permission granted from the end user…” wrote another user on the forum.
I have found this in user.log of this drive today:

Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 MyBookLive shutdown[24582]: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive _: pkg: wd-nas
Jun 23 16:02:30 MyBookLive _: pkg: networking-general
Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 MyBookLive _: pkg: date-time
Jun 23 16:02:31 MyBookLive _: pkg: alerts
Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive
Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api

I believe this is the culprit of why this happens…No one was even home to use this drive at this time… P.S. You can use support->create and save system report to get all the logs. Please check yours and see what happened.”

Some of the users were able to recover the wiped files using a tool named PhotoRec.

WD is investigating the mysterious wave of attacks launched and speculates that attackers have been exploiting a known vulnerability, tracked as CVE-2018-18472, to wipe the devices.

The flaw is an unauthenticated Remote Command Execution issue that was exploited to compromise devices exposed online and in some cases the attackers also reset them to factory settings. The vendor pointed out that both My Book Live and My Book Live Duo devices received the last firmware update back in 2015 and are no longer supported.

“Western Digital WD My Book Live and WD My Book Live Duo (all versions) have a root Remote Command Execution bug via shell metacharacters in the /api/1.0/rest/language_configuration language parameter. It can be triggered by anyone who knows the IP address of the affected device, as exploited in the wild in June 2021 for factory reset commands,” reads the security advisory.

Western Digital recommends users disconnect their My Book Live and My Book Live Duo from the Internet .

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Western Digital)

[adrotate banner=”5″]

[adrotate banner=”13″]