A zero-day vulnerability in Western Digital My Book Live NAS devices allowed a threat actor to perform mass-factory resets of devices last week, leading to data loss.

Last week, we broke the story that Western Digital My Book Live NAS owners suddenly discovered that their stored files had mysteriously disappeared. Unfortunately, the factory reset also reset the admin passwords, so users could not log in to their devices via the web dashboard or SSH.

After some users analyzed the device’s logs, they found that on June 24th, a script called factoryRestore.sh was executed on their devices, which wiped the device’s files.

Jun 24 00:26:53 MyBookLive factoryRestore.sh: begin script:
Jun 24 00:26:53 MyBookLive shutdown[5033]: shutting down for system reboot
Jun 24 00:26:53 MyBookLive logger: exit standby after 9674 (since 2021-06-23 21:45:39.926803414 +0100)

Western Digital had originally told BleepingComputer that the attacks were being conducted through a 2018 vulnerability tracked as CVE-2018-18472, which was not fixed as the device has been out of support since 2015.

It turns out that while threat actors used this vulnerability in attacks against My Book Live devices, it was actually a different zero-day vulnerability responsible for the factory resets.

Zero-day used to perform factory resets

A report by Censys CTO Derek Abdine revealed that the latest firmware for My Book Live devices contained a zero-day vulnerability that allowed a remote attacker to perform factory resets on Internet-connected devices.

While performing factory resets is commonly allowed via remote administration consoles, they always require an admin to authenticate themselves to the device first.

In the aptly named system_factory_restore script in the My Book Live’s firmware, the authentication checks were commented out, making it possible for anyone with access to the device to perform a factory reset.

In a script shared with Dan Goodin of Ars Technica, who was also notified independently of the zero-day, you can see the get() and post() functions having authentication checks commented out for some reason by a Western Digital developer.

Commented out authentication checks when issuing a factory reset
Commented out authentication checks when issuing a factory reset
Source: Ars Technica

As long as the threat actors could determine the correct parameters to the endpoint, they could perform a mass trigger of factory resets on devices worldwide.

The Battle for control of the NAS

While hackers used the zero-day vulnerability to perform factory resets of devices, it appears that there may have been malicious activity going on for quite a while before that.

From research conducted by Abdine, threat actors have been mass-exploiting the 2018 CVE-2018-18472 remote code execution vulnerability to infect publicly exposed My Book Live devices and add them into a botnet.

Using the vulnerability, the threat actors would execute a command on the router that would download a script from a remote site and execute it, as illustrated below.

Demonstration of mass-exploitation using CVE-2018-18472
Demonstration of mass-exploitation using CVE-2018-18472
Source: Censys

One of the payloads seen by an affected user was uploaded to VirusTotal, where DrWeb detects it as a variant of Linux.Ngioweb.27, a known Linux botnet that targets IoT devices. Another payload was also seen in attacks, but it not clear what malware family it belongs to.

Once enlisted in the botnet, the threat actors could remotely use the My Book Live NAS devices to potentially perform DDoS attacks, attack other devices, execute commands, or even steal files.

The attacks would also password-protect various scripts to prevent the devices from being taken over by rival botnets or other threat actors.

While we now have some insight into the various attacks targeting the My Book Live devices, we do not have a motive for a threat actor performing mass-wipes of the NAS devices.

Abdine believes that the mass-wipes using the zero-day might have been an attempt by another threat actor or the botnet’s rival to reset the device so that they could take control over the device.

“As for motive for POSTing to this endpoint on a mass scale, it is unknown, but it could be an attempt at a rival botnet operator to take over these devices or render them useless (it is likely that the username and password are reset to their default of admin/admin, allowing another attacker to take control), or someone who wanted to otherwise disrupt the botnet which has likely been around for some time, since these issues have existed since 2015,” explains Abdine.

Consumer IoT devices are a valuable commodity in the world of cybercrime as they allow threat actors to perform attacks while remaining unnoticed.

As IoT devices do not have many external signals to indicate that they have been tampered with, threat actors can use them as part of their malicious campaigns for a long time without being detected.

For now, users should prevent their My Book Live devices from being publicly accessible and only use them on their local network or behind a VPN.

BleepingComputer has reached out to Western Digital to see if they would be releasing a patch for this vulnerability, which is unlikely as the devices have been unsupported for six years.