Skip to main content

A decade-old vulnerability led to WD My Book Live devices getting wiped

Hacked off
(Image credit: Shutterstock)

Western Digital has explained that an ongoing malware campaign, which exploits multiple vulnerabilities in its My Book devices, led to the loss of masses of data last week.

In its breakdown of the campaign against its network-attached storage (NAS) devices, WD revealed that the My Book firmware suffers from a remotely exploitable command injection vulnerability.

However, it was another vulnerability, accidentally introduced back in 2011 and now tracked as CVE-2021-35941, that led to factory resetting of the devices.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

>> Click here to start the survey in a new window <<

“Our investigation shows that in some cases, the same attacker exploited both vulnerabilities on the device, as evidenced by the source IP. The first vulnerability was exploited to install a malicious binary on the device, and the second vulnerability was later exploited to reset the device,” wrote WD in a blog post.

Caught in the crossfire

WD first blamed the factory reset on the remote command execution vulnerability, tracked as CVE-2018-18472 and initially reported in late 2018. Alarmingly, WD never fixed it, since it stopped supporting the My Book devices three years prior, in 2015.

However, an analysis of the log files of the attacks performed by Ars Technica and security researchers, led to the discovery of the unauthorized factory reset vulnerability.

However, it still doesn’t make sense that an attacker would want to wipe and reset a device that has already been commandeered. 

Reportedly, the malware that WD found on the devices ties the drives to a botnet. Ars theorizes that the factory reset vulnerability was exploited by a rival threat actor in order to sabotage the botnet, perhaps after failing to take over it. 

Whatever may be the case, WD has announced that it will offer complimentary data recovery services to all affected customers. 

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.