Western Digital has explained that an ongoing malware campaign, which exploits multiple vulnerabilities in its My Book devices, led to the loss of masses of data last week.
In its breakdown of the campaign against its network-attached storage (NAS) devices, WD revealed that the My Book firmware suffers from a remotely exploitable command injection vulnerability.
However, it was another vulnerability, accidentally introduced back in 2011 and now tracked as CVE-2021-35941, that led to factory resetting of the devices.
- We've built a list of the best external hard drives out there
- Here's our list of the best portable SSDs right now
- Take a look at the best NAS drives in the market
“Our investigation shows that in some cases, the same attacker exploited both vulnerabilities on the device, as evidenced by the source IP. The first vulnerability was exploited to install a malicious binary on the device, and the second vulnerability was later exploited to reset the device,” wrote WD in a blog post.
Caught in the crossfire
WD first blamed the factory reset on the remote command execution vulnerability, tracked as CVE-2018-18472 and initially reported in late 2018. Alarmingly, WD never fixed it, since it stopped supporting the My Book devices three years prior, in 2015.
However, an analysis of the log files of the attacks performed by Ars Technica and security researchers, led to the discovery of the unauthorized factory reset vulnerability.
However, it still doesn’t make sense that an attacker would want to wipe and reset a device that has already been commandeered.
Reportedly, the malware that WD found on the devices ties the drives to a botnet. Ars theorizes that the factory reset vulnerability was exploited by a rival threat actor in order to sabotage the botnet, perhaps after failing to take over it.
Whatever may be the case, WD has announced that it will offer complimentary data recovery services to all affected customers.
- These are the best NAS devices currently available
