Zero-day bug enabled hackers to completely wipe data from WD My Book Live devices

My Book Live NAS owners complained to Western Digital that their stored photos, videos and other important files had mysteriously disappeared

Malicious actors likely used a zero-day bug in Western Digital My Book Live NAS devices to perform a remote mass-factory reset of vulnerable devices last week, leading to loss of data for hundreds of users.

My Book Live is a network attached storage device that uses an Ethernet jack to connect to office and home networks so that authorised users can access their data stored on the device.

Last week, a large number of Western Digital My Book Live NAS owners complained on the company's support forum that their stored photos, videos and other important files had mysteriously disappeared from their NAS devices.

Some users who reviewed their device's logs found that a script called factoryRestore.sh was executed on devices on 24^th June, which erased all files stored on the device.

In a statement posted on its website, Western Digital said that some malicious actors conducted attacks through CVE-2018-18472 vulnerability, which was uncovered in 2018 but was not fixed at that time as the bug came to light three years after the firm had ceased supporting vulnerable My Book devices.

The company advised its customers to unplug their My Book Live storage devices from the Internet until further notice while its engineers investigated attacks that completely wiped data from devices.

Following a preliminary investigation, the firm has now concluded that while threat actors exploited CVE-2018-18472 to attack My Book Live devices, they also used a different zero-day bug to conduct factory resets.

"Western Digital has determined that Internet-connected My Book Live and My Book Live Duo devices are under attack by exploitation of multiple vulnerabilities present in the device," the company said.

"The My Book Live firmware is vulnerable to a remotely exploitable command injection vulnerability when the device has remote access enabled. This vulnerability may be exploited to run arbitrary commands with root privileges."

"Additionally, the My Book Live is vulnerable to an unauthenticated factory reset operation which allows an attacker to factory reset the device without authentication. The unauthenticated factory reset vulnerability been assigned CVE-2021-35941," it added.

According to the company, the CVE-2021-35941 was introduced to the My Book Live in 2011 as part of a refactor of authentication logic in the device firmware.

Derek Abdine, CTO at security firm Censys, said in a blog post that while CVE-2018-18472 was exploited by one hacker to turn compromised devices into a botnet, a rival hacker used the older CVE-2021-35941 bug to either seize control of those already compromised devices or simply sabotage the botnet.

Western Digital said it would provide data recovery services to customers who have lost data in these attacks.

The data recovery services will be available beginning in July.

The company is also offering a trade-in programme for affected customers to upgrade to a supported My Cloud device.