Western Digital blames 2018 bug for mass-wiping attacks on old NAS devices
Image: WD
Catalin Cimpanu June 25, 2021

Western Digital blames 2018 bug for mass-wiping attacks on old NAS devices

Western Digital blames 2018 bug for mass-wiping attacks on old NAS devices

US-based Western Digital has blamed an old 2018 vulnerability for a series of attacks during which a mysterious entity has triggered mass-factory resets that have wiped user data from internet-exposed My Book Live and My Book Live Duo network-attached storage (NAS) devices.

According to a WD spokesperson, the attacker appears to have used a vulnerability tracked as CVE-2018-18472 to trigger the attacks earlier this week.

Discovered by security researchers Paulos Yibelo and Daniel Eshetu, the CVE-2018-18472 bug allows remote threat actors to bypass authentication on the WD My Book Live NAS devices and run commands with root privileges.

In normal cases, threat actors would abuse such a vulnerability to add the device to a DDoS or cryptomining botnet or encrypt and ransom a device’s data.

But in messages posted on Reddit and WD’s official forums this week, it appears that a threat actor has chained this vulnerability with a factory reset procedure that wipes data on the NAS and returns the device to standard settings.

It is unclear if the attack is on purpose or the result of a coding mistake on the threat actor’s part.

The damage caused by the attacker is also unknown.

The good news is that the number of My Book Live and My Book Live Duo impacted by the mass-wipes is likely to be small compared to the company’s other NAS models.

WD says the two My Book Live versions seen impacted by the attack have been off the market for almost a decade.

However, this is also bad news, as the devices have also not received any patches for the 2018 bug. WD said the last firmware update for My Book Live NAS devices was released in 2015.

In a support page, the company said it’s working on solutions to address the attacks. In the meantime, a WD spokesperson advised that My Book Live device owners disconnect their devices from the internet until a solution is on hand.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.