The older MyBook Live network attached storage appliances surprised their users with a wiped network storage device.
The devices affected had support stopped some years ago. The devices still functioned as network attached storage - BUT the devices may have been hosting botnets, spam forwarders, and storage of malware as well. Some theorize a rival botnet gang is responsible for remotely wiping (removing ALL files using Internet access) the devices to block a rival botnet group.
Newer Western Digital devices running MyCloud OS 5 should be ok.
A series of Western Digital devices can't run MyCloud OS 5. Thus those devices are vulnerable. Those devices can be used to run botnets, spam forwarders, and malware hosts.
Disconnecting any Western Digital devices from the Internet is a good first step. Updating the MyCloud OS to at least version 5 (if possible) as a next step. Do these steps AFTER securing a known good backup. Malware loaded onto another system on your home network which is then capable of wiping your files and folders is a possibility even with the Western Digital updates.
This release from Western Digital:
Western Digital has determined that Internet-connected My Book Live and My Book Live Duo devices are under attack by exploitation of multiple vulnerabilities present in the device. In some cases, the attackers have triggered a factory reset that appears to erase all data on the device. To help customers who have lost data as a result of these attacks, Western Digital will provide data recovery services, which will be available beginning in July. My Book Live customers will also be offered a trade-in program to upgrade to a supported My Cloud device. The My Book Live firmware is vulnerable to a remotely exploitable command injection vulnerability when the device has remote access enabled. This vulnerability may be exploited to run arbitrary commands with root privileges. Additionally, the My Book Live is vulnerable to an unauthenticated factory reset operation which allows an attacker to factory reset the device without authentication. The unauthenticated factory reset vulnerability has been assigned CVE-2021-35941. We have heard concerns about the nature of this vulnerability and are sharing technical details to address these questions. We have determined that the unauthenticated factory reset vulnerability was introduced to the My Book Live in April of 2011 as part of a refactor of authentication logic in the device firmware. The refactor centralized the authentication logic into a single file, which is present on the device as includes/component_config.php and contains the authentication type required by each endpoint. In this refactor, the authentication logic in system_factory_restore.php was correctly disabled, but the appropriate authentication type of ADMIN_AUTH_LAN_ALL was not added to component_config.php, resulting in the vulnerability. The same refactor removed authentication logic from other files and correctly added the appropriate authentication type to the component_config.php file. We have reviewed log files which we have received from affected customers to understand and characterize the attack. The log files we reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries. Our investigation shows that in some cases, the same attacker exploited both vulnerabilities on the device, as evidenced by the source IP. The first vulnerability was exploited to install a malicious binary on the device, and the second vulnerability was later exploited to reset the device.
For customers who have lost data as a result of these attacks, Western Digital will provide data recovery services. My Book Live users will also be offered a trade-in program to upgrade to a supported My Cloud device. Both programs will be available beginning in July, and details on how to take advantage of these programs will be made available in a separate announcement.
No comments:
Post a Comment