Western Digital (WD) explained on Tuesday and confirmed the recent attacks targeting a product called My Book Live. A WD My Book Live is a product developed by Western Digital that connects a hard drive to the internet.
The attacks came to light last week, with many My Book Live and My Book Live Duo device owners reporting to the WD Community forum that a factory reset had been initiated on their devices, resulting in all data being completely wiped. At this time, there are over 900 messages in the WD Community thread on this topic.
WD initially stated that the attackers exploited a vulnerability labelled, CVE-2018-18472. An old flaw that allows a remote attacker who knows the device’s IP address to execute arbitrary commands with root privileges. However, after further analysis, WD confirmed that a zero-day vulnerability had also been exploited.
The new vulnerability, tracked as CVE-2021-35941, has been exploited to reset devices to factory settings and effectively wipe the data housed on the hard drive. The security hole can be exploited without authentication.
CVE-2018-18472 has been exploited to install malware on vulnerable NAS devices and CVE-2021-35941 has been leveraged to reset them to factory settings — in some cases both flaws were apparently exploited by the same attacker.
A majority of the hacked NAS devices are located in the United States, the United Kingdom and Canada. The My Book Live and My Book Live Duo products have been discontinued, with the last firmware updates released in 2015. WD says its newer products are not impacted and claims there is no evidence that its cloud services, firmware update servers, or customer credentials have been compromised.