Data storage company Western Digital (WD) is in crisis after hackers exploited a zero-day vulnerability to remotely wipe its customers’ My Book Live drives.
Users on a Western Digital support forum began reporting the issue last week in a thread that, at the time of writing, has nearly 1,000 replies and has been viewed 50,000 times.
“I have a [Western Digital] My Book Live connected to my home LAN and worked fine for years,” the thread’s original poster said.
“I have just found that somehow all the data on it is gone today, while the directories seems there but empty. Previously the [2TB] volume was almost full but now it shows full capacity.”
Other users lamented the years of lost data and posted logs showing that their devices had been factory reset and saying the device passwords had been reset and changed from the factory default.
“This is kind of scary,” one poster said. “Exact same issue. I was able to reset my password and log into the GUI but all my data is gone.
“There is no indication of firmware update. Not sure what to do.”
Western Digital soon after published an advisory about the incident, warning its My Book Live customers to disconnect their devices from the internet and offering support services.
“For customers who have lost data as a result of these attacks, Western Digital will provide data recovery services,” the company said.
“My Book Live users will also be offered a trade-in program to upgrade to a supported My Cloud Device.”
My Book Live devices sat behind a firewall and provided remote access through a My Book Live cloud service.
Cloud security company Censys scanned the internet and found some 55,000 My Book Live device certificates, around 1,200 of which were in Australia.
Vulnerable and unsupported
First sold in 2010, the devices have been unsupported since the last firmware update in 2015.
Western Digital said there was no evidence that its “cloud services, firmware update servers, or customer credentials were compromised” in the widespread attack.
Instead, it points to two vulnerabilities: one zero-day and one from 2018.
The 2018 vulnerability was reported by Wizcase as a remote code execution flaw that “lets anyone run commands on the device as root”.
Wizcase disclosed the security fault to Western Digital which responded by saying that the devices were discontinued and “are no longer covered under our device software support lifecycle”.
Then there’s the zero-day.
Someone at Western Digital had thoughtfully coded in a function to stop remote users from performing factory resets without authenticating their credentials first.
Unfortunately, in a 2011 firmware update that code was simply commented out.
As Censys described it, the vulnerability means “a simple POST request to the system_factory_restore endpoint would trigger the factory restore process”.
Apparently, no one at Western Digital noticed this flaw until devices it had sold started mysteriously wiping themselves.
But why would someone want to factory reset thousands of hard drives?
Censys suggested the 2018 vulnerability had already been mass exploited to create a botnet incorporating the Western Digital drives, saying it had noticed 13,000 devices showing signs of compromise.
Botnets are thousands of connected computers, usually compromised machines, that can be bought and sold on the dark web and are used for nefarious activities like spreading malware or running distributed denial of service (DDoS) attacks.
So, if the devices were already being exploited as root and used in a botnet, that raises another question: why would you need to use a second vulnerability to remotely reset them?
Censys’s theory is that another cyber actor has tried to kill the botnet.
“It could be an attempt at a rival botnet operator to take over these devices or render them useless,” Censys said.
“Or someone who wanted to otherwise disrupt the botnet which has likely been around for some time, since these issues have existed since 2015.”