Investigations reveal hackers exploited 0-day to wipe WD devices

A few months ago, hackers successfully wiped data from hard drives across the globe using a zero-day exploit against a popular drive manufacturer, a problem that has now been fixed. The exploit was originally found by a team of security researchers who were researching two separate exploits that hackers used to wipe data from hard drives.

Last week, a security researcher named Amit Serper published a report outlining how hackers could have wiped a number of Western Digital drives by exploiting a previously unknown vulnerability in the devices. Serper demonstrated a proof-of-concept attack by wiping the drives using a virtual machine running on a vulnerable system with a specially crafted file.

The world of computer hardware is full of vulnerabilities. Hardware manufacturers consider new developments in hardware as a reason to roll out the latest and greatest hardware. Now, the latest and greatest in storage devices is the Western Digital (WD) My Passport Wireless Pro. Popular with consumers, it’s a portable hard drive that looks like a digital camera. But, is it really safe from hackers? A new investigation claims it is.

After hackers remotely destroyed WD’s My Book Live devices, WD has released an update stating that the attackers used the 0-Day exploit and not Security Book 2018 as previously thought. The vulnerability is now being traced as CVE-2021-35841.

The second exploit allows a remote user to reset a device, erasing all data, without requiring authentication to verify that a real user is performing this action.

The company is also offering free data recovery services and trade-in offers for My Book Live customers who upgrade to My Cloud devices starting in July.

According to Ars Technica, the vulnerability was found in a file called system_factory_restore. The file contained a PHP script that allowed the user to reset all configurations to default values and delete all data.

In the news: Google Messages gets features to automatically remove OTPs and categories in India

Normally these actions require the user to enter a password, and for good reason. These devices are available on the internet, and the fact that someone can factory reset them without proper authentication is mind-boggling.

It appears that one of the WD developers wrote code into the system recovery script that asks the user for a password before proceeding with the recovery. However, this code fragment is commented out and therefore inactive.

The following code snippet was commented out in the original script. If this were not the case, the second achievement would not exist.

function get($urlPath, $queryParams=null, $ouputFormat=xml){
// if(!authenticateAsOwner($queryParams))
// {
// header(HTTP/1.0 401 Unauthorized);
// return;
// }

WD attributes this result to the fact that the shutdown occurred because the company revised the way verification is performed on the device itself. According to them, the vulnerability occurred when they failed to reformulate and add the correct authentication type.

To exploit this vulnerability, an attacker needs to know the format of the XML request that triggers the reset and thus this script. HD Moore, security expert and CEO of Rumble, told Ars Technica that commenting on authentication at the system restore point is not good for the vendor.

Following the mass deletion of data on My Bok devices, WD has released an advisory stating that the attacks were caused by the CVE-2018-18472 vulnerability. The vulnerability was discovered in late 2018 by researchers Paulos Yibelo and Daniel Eshetu. However, because WD discontinued support for My Book Live in 2015, this vulnerability was never fixed.

Surprisingly, according to an analysis by Ars Technica and Derek Abdin, CTO of Censys, the devices that were massively compromised and deleted were also affected by the unauthorized reset vulnerability. The second exploit was discovered in log files extracted from hacked devices.

The question is: if an attacker has already gained root access to a device via one vulnerability, why would they go back and use a second vulnerability to wipe the entire device?

CVS-2018-18472 was indeed password protected by an attacker. It turned out that some of the affected devices here were infected with a malware called .nttpd,1-ppc-be-t1-z. The affected devices were thus included in a botnet called Linux.Ngioweb.

According to Ars, the second attack occurred because while a hacker compromised the devices and turned them into a botnet, a competing attacker exploited a second vulnerability and rebooted the devices to take control of the devices or sabotage the botnet.

In the news: Facebook introduces audio rooms and live podcasts

Someone who writes, edits, films, presents technology programs and races virtual machines in their spare time. You can contact Yadullah at [email protected] or follow him on Instagram or Twitter.Last month, security researchers discovered a new security threat that affects more than 30 million Western Digital hard drives. It’s a malware attack that’s invisible to the operating system, which silently wipes the hard drive of all data. The malware is so malicious that it can also wipe the hard drive of the computer’s BIOS.. Read more about another exploit wd live owners and let us know what you think.

Related Tags:

exploit wd my live ownersanother exploit wd my live ownersexploit wd book live ownersexploit wd my book live ownersanother exploit wd live ownersanother exploit hits wd live owners,People also search for,Privacy settings,How Search works,exploit wd my live owners,another exploit wd my live owners,exploit wd book live owners,exploit wd my book live owners,another exploit wd live owners,another exploit hits wd live owners,another exploit wd book live,exploit hits my book live

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *