Cybercrooks Wipe Thousands of WD NAS Devices Through Remote Code Execution
An unpatched zero-day vulnerability allowed hackers to trigger a factory reset in thousands of Western Digital NAS devices. As a result, the owners of My Book Live and My Book Live DUO lost all their stored data. The wipeout reportedly occurred after the crooks at play successfully established either direct or indirect (via port forwarding) connections to each affected device using a multitude of randomly picked IP addresses across the globe. While Western Digital's officials are currently investigating the issue, they have made it clear that the attack showed no signs of having spread across its cloud-based environment, firmware, or customer data servers. However, they have advised all My Book Live and My Book Live Duo NAS owners to detach their devices from the Web until a patch comes out.
Table of Contents
Potential Connection to an Old Flaw
The firmware of WD's NAS devices has not got any updates since 2015. Three years later, a cyber gang allegedly found a security hole that allowed for remote code execution on any online My Book Live and My Book Live Duo NAS device. Western Digital's researchers suspect that the malware actors probably scanned the Web for vulnerable peripheral devices and came across the IP addresses of many My Book Live and My Book Live Duo devices.
Filed under CVE-2018-18472, the security hole is currently undergoing a new analysis to see what other damage it could bring if exploited by the wrong persons.
Data Recovery to Mixed Success
While some of the affected WD NAS owners have successfully used data recovery tools such as PhotoRec to get portions of their data back, others haven’t enjoyed such success yet. The American data drive manufacturer is currently testing various data recovery tools to see what works and what does not. We have yet to see how effective alternative data recovery software may prove. Until then, the prospects of complete data recovery seem likely to remain grim at best.
No Ransom Note
Even though thousands of NAS owners have suffered complete data loss, no one has received a ransom note, which implies that the attacker may have wanted to bereave victims from their files just for the sake of it. Nor have Western Digital reported any required ransom, either. Nevertheless, the threat is actual, and the damage is a fact. What is more, the data loss occurred even though the affected WD NAS devices all utilize a firewall and secure cloud-based communication channels.
Incidents like this underline the need for a multi-pronged approach when it comes to data storage. Using just one medium, be it cloud-based or not, may no longer provide sufficient to prevent potential loss down the line. That is why we recommend regular backups on multiple online and offline media to reduce the risk of data loss to a minimum.