Zero-Day Used to Wipe My Book Live Devices

  • Threat actors may have been duking it out for control of the compromised devices, first using a 2018 RCE, then password-protecting a new vulnerability.

    Western Digital will start providing free data-recovery services in July for people whose data was wiped off their network-attached storage (NAS) devices last week, the company said in an update on Tuesday.

    The company is also planning to offer a trade-in program to get customers onto the cloud – specifically, onto a supported My Cloud device – and off of old My Book Live and My Book Live Duo devices, an indeterminate number of which were remotely eviscerated in an attack that exploited what turns out to have been a zero-day vulnerability.

    In fact, there were two vulnerabilities that were exploited: An old remote-code execution (RCE) bug from 2018 that Western Digital first blamed, and then a previously unknown flaw that enabled unauthenticated remote factory-reset device wipes. Theories about why the attack involved two devastating exploits include the suggestion that rival threat actors were duking it out for control of the compromised devices.

    Western Digital also released new details about that zero day, which exploited the newly identified vulnerability CVE-2021-35941. The bug is in Western Digital’s WD My Book Live (2.x and later) and WD My Book Live Duo (all versions), which have an administrator API that can perform a system factory restore without authentication. Its severity hasn’t yet been rated.

    Besides the unauthenticated factory-reset operation, Western Digital said that the firmware for My Book Live is also vulnerable to a remotely exploitable command-injection vulnerability when the device has remote access enabled. “This vulnerability may be exploited to run arbitrary commands with root privileges,” according to Western Digital’s updated advisory.

    Provenance of the Factory-Reset Bug

    The company shared more technical details about the newly discovered vulnerability to address questions that have arisen in the wake of the global data wipeout. Its advisory explained that the company traced the unauthenticated factory reset vulnerability back to April 2011, when My Book Live underwent “a refactor of authentication logic” in the device firmware. Refactoring is a process meant to improve the design, structure, and/or implementation of software’s non-functional attributes while preserving its functionality.

    Western Digital said that this is how the bug crept in during the refactor back in 2011:

    The refactor centralized the authentication logic into a single file, which is present on the device as includes/component_config.php and contains the authentication type required by each endpoint. In this refactor, the authentication logic in system_factory_restore.php was correctly disabled, but the appropriate authentication type of ADMIN_AUTH_LAN_ALL was not added to component_config.php, resulting in the vulnerability. The same refactor removed authentication logic from other files and correctly added the appropriate authentication type to the component_config.php file.

    That’s a startling admission: In other words, a Western Digital developer actively removed authentication code that would require the input of a valid user password before factory resets could be executed. That slip-up, unfortunately, has cost users what’s likely petabytes of data, given that anguished users complained about years worth of data being obliterated.

    Provenance of the Old Bug

    Western Digital noted that there was also an old, previously discovered bug exploited in the incident: CVE-2018-18472. This one shouldn’t have come as a surprise: The remote command-execution (RCE) vulnerability was discovered in October 2018 It was extremely high risk, with a CVSS score of 9.8 out of 10. Nonetheless, Western Digital never fixed it, given that it was discovered three years after the company had stopped supporting My Book Live.

    The bug was brought to light by Paulos Yibelo and Daniel Eshetu, who updated their findings as recently as last November. The researchers wrote that “WD My Book Live and some models of WD My Cloud NAS contain a remotely exploitable vulnerability that lets anyone run commands on the device as root.”

    Attack Chain for MyBook Live Wipe

    Log files from customers who lost data show that attackers directly connected to their My Book Live devices from a variety of IP addresses in different countries, Western Digital said. Its investigation has shown that “in some cases, the same attacker exploited both vulnerabilities on the device, as evidenced by the source IP. The first vulnerability was exploited to install a malicious binary on the device, and the second vulnerability was later exploited to reset the device.”

    On some devices, the company explained, the attackers installed a trojan with a file named “.nttpd,1-ppc-be-t1-z” – a Linux ELF binary compiled for the PowerPC architecture used by the My Book Live and Live Duo. Western Digital captured a sample of the trojan and uploaded it to VirusTotal. One user in Western Digital’s support forum reported that their My Book Live was infected with this malware, which makes devices part of a botnet called Linux.Ngioweb that mostly comprises malicious proxy servers.

    The company’s investigation still hasn’t uncovered evidence that Western Digital cloud services, firmware update servers or customer credentials were compromised.

    “As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning,” according to Western Digital’s update. “The vulnerabilities being exploited in this attack are limited to the My Book Live series, which was introduced to the market in 2010 and received a final firmware update in 2015. These vulnerabilities do not affect our current My Cloud product family.”

    Why Two Bugs?

    Last week, Western Digital’s initial advisory attributed the mass data wipe to attackers exploiting the old, unpatched RCE vulnerability from 2018.

    But the plot thickened, as Ars Technica’s Dan Goodin detailed. Ars and Derek Abdine, CTO at security firm Censys, conducted an analysis of logs from the affected devices that showed that devices hit by the mass hack had also been subjected to attacks that exploited the new, unauthorized reset vulnerability. The additional exploit was documented in log files extracted from two hacked devices. One of the logs posted in the Western Digital support forum where the attack first came to light showed that someone from the IP address 94.102.49.104 had successfully restored a device. But a second log file from an affected My Book Live device showed a different IP address – 23.154.177.131 – exploiting the same vulnerability.

    When Goodin reached out to Western Digital, the company confirmed that in some cases, the attackers exploited the old RCE vulnerability, then they went ahead and exploited the new factory-reset vulnerability.

    Why? Western Digital told Goodin at the time that it wasn’t sure, but that it would request a CVE for the new bug: “It’s not clear why the attackers exploited both vulnerabilities. We’ll request a CVE for the factory-reset vulnerability and will update our bulletin to include this information.”

    Why Password-Protect a Vulnerability?

    It’s not clear why attackers who’d already retained full root with the old bug would need to exploit a second one, but Abdine has a theory: Namely, there could be two attackers at work. The first could have exploited the old bug – CVE-2018-18472 – while a second, rival threat actor may have tried to wrest control of already compromised devices by exploiting the second, new vulnerability.

    Whoever exploited the old bug tweaked a file in the My Book Live stack named language_configuration.php – where the vulnerability is located – to add code that stops anyone from exploiting the vulnerability unless they have a password that corresponds to the cryptographic SHA1 hash 56f650e16801d38f47bb0eeac39e21a8142d7da1. The password for the hash turns out to be p$EFx3tQWoUbFc%B%R$k@, which shows up in one of the recovered log files.

    The log files show another password with the hash 05951edd7f05318019c4cfafab8e567afe7936d4 set up to protect a separate, modified language_configuration.php. To boot, the attackers used a third hash, b18c3795fd377b51b7925b2b68ff818cc9115a47, to password-protect a separate file named accessDenied.php: What Goodin suggested could have been put in place as “an insurance policy in the event that Western Digital released an update that patched language_configuration.”

    Abdine wrote about that theory in a blog post: “As for motive for POSTing to this [system_factory_restore] endpoint on a mass scale, it is unknown, but it could be an attempt at a rival botnet operator to take over these devices or render them useless, or someone who wanted to otherwise disrupt the botnet which has likely been around for some time, since these issues have existed since 2015.”

    The first vulnerability was bad enough, but the second one adds to the urgency underscoring Western Digital’s advice to disconnect its devices from the internet. As far as moving to the company’s My Cloud Live devices goes, Abdine told Ars that the replacement devices don’t have the bugs that were exploited last week. He told Goodin that he also took a look at the My Cloud firmware, which mostly seems copacetic.

    “It’s rewritten and bears some, but mostly little, resemblance to My Book Live code,” Abdine told Ars. “So it doesn’t share the same issues.”

    Threatbook has reached out for further details, and will update this post accordingly.

    Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free.