fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Hackers Use Zero-day to Mass-wipe My Book Live Devices

Hackers Use Zero-day to Mass-wipe My Book Live Devices

A zero-day vulnerability in Western Digital My Book Live NAS devices allowed a threat actor to perform mass-factory resets of devices last week, leading to data loss.

Last week, we broke the story that Western Digital My Book Live NAS owners suddenly discovered that their stored files had mysteriously disappeared. Unfortunately, the factory reset also reset the admin passwords, so users could not log in to their devices via the web dashboard or SSH.

After some users analyzed the device’s logs, they found that on June 24th, a script called factoryRestore.sh was executed on their devices, which wiped the device’s files.

Jun 24 00:26:53 MyBookLive factoryRestore.sh: begin script:
Jun 24 00:26:53 MyBookLive shutdown[5033]: shutting down for system reboot
Jun 24 00:26:53 MyBookLive logger: exit standby after 9674 (since 2021-06-23 21:45:39.926803414 +0100)

Western Digital had originally told BleepingComputer that the attacks were being conducted through a 2018 vulnerability tracked as CVE-2018-18472, which was not fixed as the device has been out of support since 2015.

It turns out that while threat actors used this vulnerability in attacks against My Book Live devices, it was actually a different zero-day vulnerability responsible for the factory resets.

Zero-day used to perform factory resets

report by Censys CTO Derek Abdine revealed that the latest firmware for My Book Live devices contained a zero-day vulnerability that allowed a remote attacker to perform factory resets on Internet-connected devices.

While performing factory resets is commonly allowed via remote administration consoles, they always require an admin to authenticate themselves to the device first.

In the aptly named system_factory_restore script in the My Book Live’s firmware, the authentication checks were commented out, making it possible for anyone with access to the device to perform a factory reset.

In a script shared with Dan Goodin of Ars Technica, who was also notified independently of the zero-day, you can see the get() and post() functions having authentication checks commented out for some reason by a Western Digital developer.

Also Read: PDPA Singapore Guidelines: 16 Key Concepts For Your Business

Commented out authentication checks when issuing a factory reset
Commented out authentication checks when issuing a factory reset
Source: Ars Technica

As long as the threat actors could determine the correct parameters to the endpoint, they could perform a mass trigger of factory resets on devices worldwide.

The Battle for control of the NAS

While hackers used the zero-day vulnerability to perform factory resets of devices, it appears that there may have been malicious activity going on for quite a while before that.

From research conducted by Abdine, threat actors have been mass-exploiting the 2018 CVE-2018-18472 remote code execution vulnerability to infect publicly exposed My Book Live devices and add them into a botnet.

Using the vulnerability, the threat actors would execute a command on the NAS device that would download a script from a remote site and execute it, as illustrated below.

Demonstration of mass-exploitation using CVE-2018-18472
Demonstration of mass-exploitation using CVE-2018-18472
Source: Censys

One of the payloads seen by an affected user was uploaded to VirusTotal, where DrWeb detects it as a variant of Linux.Ngioweb.27, a known Linux botnet that targets IoT devices. Another payload was also seen in attacks, but it not clear what malware family it belongs to.

Once enlisted in the botnet, the threat actors could remotely use the My Book Live NAS devices to potentially perform DDoS attacks, attack other devices, execute commands, or even steal files.

The attacks would also password-protect various scripts to prevent the devices from being taken over by rival botnets or other threat actors.

While we now have some insight into the various attacks targeting the My Book Live devices, we do not have a motive for a threat actor performing mass-wipes of the NAS devices.

Abdine believes that the mass-wipes using the zero-day might have been an attempt by another threat actor or the botnet’s rival to reset the device so that they could take control over the device.

Also Read: Data Protection Officer Singapore | 10 FAQs

“As for motive for POSTing to this endpoint on a mass scale, it is unknown, but it could be an attempt at a rival botnet operator to take over these devices or render them useless (it is likely that the username and password are reset to their default of admin/admin, allowing another attacker to take control), or someone who wanted to otherwise disrupt the botnet which has likely been around for some time, since these issues have existed since 2015,” explains Abdine.

Consumer IoT devices are a valuable commodity in the world of cybercrime as they allow threat actors to perform attacks while remaining unnoticed.

As IoT devices do not have many external signals to indicate that they have been tampered with, threat actors can use them as part of their malicious campaigns for a long time without being detected.

For now, users should prevent their My Book Live devices from being publicly accessible and only use them on their local network or behind a VPN.

BleepingComputer has reached out to Western Digital to see if they would be releasing a patch for this vulnerability, which is unlikely as the devices have been unsupported for six years.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us