Skip to main content

A decade-old vulnerability led to WD My Book Live devices getting wiped

Hacked off
(Image credit: Shutterstock)
Audio player loading…

Western Digital has explained that an ongoing malware (opens in new tab) campaign, which exploits multiple vulnerabilities in its My Book devices (opens in new tab), led to the loss of masses of data (opens in new tab) last week.

In its breakdown of the campaign against its network-attached storage (NAS) (opens in new tab) devices, WD revealed that the My Book firmware suffers from a remotely exploitable command injection vulnerability.

However, it was another vulnerability, accidentally introduced back in 2011 and now tracked as CVE-2021-35941, that led to factory resetting of the devices.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

>> Click here to start the survey in a new window (opens in new tab) <<

“Our investigation shows that in some cases, the same attacker exploited both vulnerabilities on the device, as evidenced by the source IP. The first vulnerability was exploited to install a malicious binary on the device, and the second vulnerability was later exploited to reset the device,” wrote WD (opens in new tab) in a blog post.

Caught in the crossfire

WD first blamed the factory reset on the remote command execution vulnerability, tracked as CVE-2018-18472 and initially reported in late 2018. Alarmingly, WD never fixed it, since it stopped supporting the My Book devices three years prior, in 2015.

However, an analysis of the log files of the attacks performed by Ars Technica (opens in new tab) and security researchers, led to the discovery of the unauthorized factory reset vulnerability.

However, it still doesn’t make sense that an attacker would want to wipe and reset a device that has already been commandeered. 

Reportedly, the malware that WD found on the devices ties the drives to a botnet. Ars theorizes that the factory reset vulnerability was exploited by a rival threat actor in order to sabotage the botnet, perhaps after failing to take over it. 

Whatever may be the case, WD has announced that it will offer complimentary data recovery services (opens in new tab) to all affected customers. 

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.