Last week, multiple owners of WD My Book Live and My Book Live Duo NAS devices encountered an unexpected problem, in which all their data was mysteriously deleted from their network-attached storage devices. Some users said a factory reset had been initiated on their device.
It appears that mass-factory resets were the result of an attack, in which hackers exploited an old 2018 vulnerability to compromise WD My Book Live and My Book Live Duo devices.
“Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability. In some cases, the attackers have triggered a factory reset that appears to erase all data on the device,” Western Digital said in a statement on its website.
The vulnerability in question is CVE-2018-18472, a command injection issue that allows a remote attacker to execute arbitrary commands with root privileges.
While analyzing log files received from affected customers, Western Digital found that attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries, suggesting that the affected devices were exposed in the Internet, either through direct connection or through port forwarding that was enabled either manually or automatically via UPnP.
Also, the log files showed that attackers installed a trojan with a file named “.nttpd,1-ppc-be-t1-z” on some devices. This malware is a Linux ELF binary compiled for the PowerPC architecture used by the My Book Live and Live Duo. The malware sample has been captured for further analysis and uploaded to VirusTotal, Western Digital said.
“Our investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised. As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning,” the company said.
“We do not yet understand why the attacker triggered the factory reset; however, we have obtained a sample of an affected device and are investigating further.”