Thanks to a remote command execution vulnerability, a hacker has managed to erase backups and other data from hard drives from manufacturer Western Digital. Customers are complaining about the manufacturer’s forum that they have lost all their data due to this vulnerability. The company advises them to disconnect their equipment from the internet so that their data is safe.
Trojan horse responsible for erasing data
It concerns users of WD My Book Live and WD My Book Live Duo. In a blog, the maker of hard drives writes that these products are affected by malicious software. According to the manufacturer, it is a Trojan horse. This is a form of malware where a program is hidden in software. It’s a kind of back door that hackers and cybercriminals use to gain access to your data and try to take control of your computer. The log file of a user who has lost his data shows that the rogue software named ‘.nttpd,1-ppc-be-t1-z’ has been installed.
According to Western Digital, the attackers exploited a remote command execution vulnerability. That means they were able to remotely access the data stored on WD My Book Live and WD My Book Live Duo. This is a series that first appeared on the market in 2010. Support for these products ended in 2015. That year they last received a firmware update.
This is how the hackers got access to the data on WD My Book Live drives
The WD My Book Live drives are connected to the Internet by default. This allows users to access their files anywhere in the world. Normally, such products with cloud functionality are well protected. A known vulnerability that was never patched allowed attackers to break into the hard drives in this series. To do this, they only needed one ingredient: their victim’s IP address, say your computer’s virtual mailing address.
Western Digital has studied the logs of several customers to learn more about the incident. The company says no confidential data has been misused. “We have no indication that Western Digital cloud services, firmware update servers or customer data have been compromised,” the manufacturer said in a press statement.
Western Digital continues its story. “We understand that our customers’ data is very important. We do not yet understand why the attacker activated the factory reset feature (…) Some customers have reported that data recovery programs may be able to recover data from affected devices. We are currently investigating the effectiveness of these programs.”
‘Disconnect hard drive from the internet’
Western Digital advises customers who have a WD My Book Live or WD My Book Live DUO drive to disconnect from the Internet. Only in this way can the manufacturer guarantee that malicious parties cannot perform a factory reset. Disconnecting from the Internet is currently the only way to prevent data loss on these products.
Western Digital is not sure if and when it will come up with a solution. According to Tweakers.net, this is a vulnerability that has been known to the manufacturer since 2018. Because the support period is officially over, Western Digital has never offered a fix for the WD My Book Live series.