Hacking WD: a Hacker Fight Erases Thousands of Hard Drives

A few days ago we met one of the most serious hacks we can remember in years, where WD My Book Live external hard drives with an Internet connection had been hacked, and their data completely erased. These network hard drives (NAS) had been without update support since 2015, making them vulnerable. However, the case is much more complex, and it has been a fight between hackers that has led to this deletion.

On July 23, crowds of WD users began complaining that the data on their hard drives had been erased. When reviewing the erase log, some discovered that someone had remotely executed a command to reset all the contents of the hard drives, without asking for any kind of password.

Hacking WD: a Hacker Fight Erases Thousands of Hard Drives

Could be reset without password

After analyzing the event, security researchers have discovered a vulnerability in the file restoration system, where a PHP script performs a factory reset and deletes all data. Such a function normally requires entering a confirmation password, but upon reviewing the code they found that the lines of code that requested the password were commented out with // at the beginning, so they were not executed.

That’s one part of the vulnerability, and to execute it they had to take advantage of another available one. The attackers had it as easy as going to the vulnerability that two researchers named Paulos Yibelo and Daniel Eshetu discovered in 2018. The vulnerability was recognized by Western Digital and assigned the code CVE-2018-18472 .

However, as they no longer supported those models, they never patched it, allowing any attacker who discovered it to take advantage of it. To do this, the attacker only has to know the IP address of the affected device , going on to perform a remote code execution.

Interestingly, with the CVE-2018-18472 vulnerability, attackers already had full access to the device, and did not need to take advantage of the second one. The theory behind this is that a first hacker took advantage of CVE-2018-18472, and a rival hacker later tried to execute the other vulnerability to take control of the other devices and make them part of a botnet controlled by them.

A hacker battle, the most logical explanation

The first hacker, in fact, modified a file on the hard drives to put a password corresponding to the hash 56f650e16801d38f47bb0eeac39e21a8142d7da1 , which in plain text is p $ EFx3tQWoUbFc% B% R $ k @ . They also used other passwords on other devices and files as protection in the event that WD released an update that patched the first vulnerable file.

Some of the hard drives hacked using CVE-2018-18472 have also been infected with a malware called. nttpd, 1-ppc-be-t1-z , which has been written to run on PowerPC hardware used by these WD devices. With this malware, hard drives become part of a botnet called Linux.Ngioweb , with which they can launch DDoS attacks.

So it makes sense that a second hacker wanted to control the device or just screw this rival hacker , and ran the command to reset the hard drives . Thanks to this, their owners have discovered that they had been hacked, since otherwise they could have stolen more data from those hard drives. Therefore, it is very important to disconnect these devices from the Internet and use them as local hard drives. WD’s newer devices are unaffected by these flaws, so their owners can breathe easy.