In addition to the old vulnerability CVE-2018-18472, as originally claimed by the manufacturer, the massive deletion of data from Western Digital’s Digital My Book devices is also blamed on a previously unknown vulnerability.
A zero-day vulnerability used in the attacks, identified as CVE-2021-35941, allowed attackers to remotely reset the settings of attacked devices without a password. Moreover, judging by the vulnerable code, the Western Digital developer himself removed the code that required entering a valid user password before resetting the settings to factory settings.
The vulnerability exists in the system_factory_restore file, which contains a PHP script to reset settings, restore default configurations, and delete all data stored on devices. Usually (and very correctly) the user must enter their password to perform a factory reset. This is necessary in order to protect the device accessible via the Internet from being reset by someone else.
As the analysis of the script shows, initially, the Western Digital developer actually created five lines of code asking for a password before resetting the settings. However, then, for some unknown reason, the authentication check was cancelled or, in the language of the developers, it was commented out, as evidenced by the double “/” at the beginning of each line.
To exploit this vulnerability, an attacker must know the format of the XML request that triggers a factory reset. It’s not as easy as sending a GET request to an arbitrary URL, but it’s still quite doable.
“We examined the log files received from affected users to understand and characterize the attack. From the files we reviewed, it appears that attackers directly connected to the affected My Book Live devices from different IP addresses in different countries. As our investigation has shown, in some cases, the same attacker exploited both vulnerabilities on the device, as evidenced by the original IP address. The first vulnerability was exploited to install a malicious binary on a device, and the second vulnerability was later exploited to reboot the device.
On some devices, attackers installed a Trojan with a .nttpd file, 1-ppc-be-t1-z, which is an ELF Linux binary compiled for the PowerPC architecture used by My Book Live and Live Duo. A sample of this Trojan was extracted for further analysis and uploaded to VirusTotal. Our investigation into the incident found no evidence that Western Digital’s cloud services, firmware update servers or customer credentials were compromised, ” Western Digital said in an updated notice.
The question arises: if hackers already had access to devices with superuser rights, provided them with a vulnerability three years ago (CVE-2018-18472), why did they need to exploit the second? According to Derek Abdine, senior technical director of information security company Censys, the attacks could have been the work of two different hacker groups. That is, the first group took control of devices through one vulnerability, and the second tried to take this control through another.
The attackers who exploited CVE-2018-18472 used the provided code execution opportunity to modify the file named language_configuration.php on the My Book Live stack where the vulnerability exists. This change prevented the exploitation of the passwordless vulnerability corresponding to the cryptographic hash SHA1 56f650e16801d38f47bb0eeac39e21a8142d7da1, the password for which is p $ EFx3tQWoUbFc% B% R $ k @.
A separate modified language_configuration.php file recovered from the compromised device used a different password corresponding to the hash 05951edd7f05318019c4cfafab8e567afe7936d4. The hackers used the third hash b18c3795fd377b51b7925b2b68ff818cc9115a47 to password protect a separate file named accessDenied.php. This was probably done in order to be on the safe side in case Western Digital releases an update that fixes language_configuration.
According to the Western Digital update notice above, some My Book Live devices jailbroken with CVE-2021-18472 have been infected with .nttpd, 1-ppc-be-t1-z malware written specifically for PowerPC hardware on My Book devices Live. The malware includes compromised devices in Linux.Ngioweb botnet.
The question arises: why would someone who has successfully connected so many My Book Live devices to a botnet suddenly ruin everything, erasing data from the devices and resetting to factory settings? Why use undocumented authentication bypass when the first vulnerability already gives you superuser access? The most likely explanation is that the attacks were carried out by different cybercriminal groups, which seem to be at enmity with each other.
Catch up on more articles here
Follow us on Twitter here