A malicious actor executed mass factory resets of the My Book Live NAS devices last week, which resulted in data loss, by exploiting an old zero-day flaw.
Last week we reported that an unknown issue caused many My Book Live NAS users to lose their files. Aside from reinstalling the OS, the device also reset the admin passwords, which prevented users from accessing their accounts through the web dashboard or SSH.
It was later determined that on June 24, a script factoryRestore.sh was executed on the devices, which wiped their files.
According to Derek Abdine of Censys, the latest firmware for the My Book Live devices has a zero-day vulnerability that allowed executing arbitrary factory resets on Internet-connected My Books.
Factory resets are usually performed remotely through admin consoles. However, these procedures require an admin to confirm that they’re authorized to perform the resets.
In a script seen by Dan Goodin of Ars Technica, we can see that functions get() and post() have authentication checks that were commented on by WD devs and therefore, are disabled.
Threat actors could then trigger a mass factory reset on devices worldwide if they guess the correct parameters to the endpoint.
According to Abdine, threat actors have exploited a known but unpatched vulnerability CVE-2018-18472 to infect My Book Live devices with scripts and add them to a botnet. They would then execute a script stored on the NAS device to perform a factory reset.
While we do not yet have a motive for the attacks, security researcher Paul Abdine believes that the mass wipes that affected hundreds of users might have been an attempt to reset the devices of a rival threat actor.
“As for motive for POSTing to this endpoint on a mass scale, it is unknown, but it could be an attempt at a rival botnet operator to take over these devices or render them useless (it is likely that the username and password are reset to their default of admin/admin, allowing another attacker to take control), or someone who wanted to otherwise disrupt the botnet which has likely been around for some time, since these issues have existed since 2015,” explains Abdine.
It is unlikely that Western Digital would release a patch for the CVE-2018-18472 vulnerability, as the devices have been unsupported for six years.