Western Digital Says Remotely-Installed Trojans Responsible For Wiping ‘My Book’ Storage Devices

Last week I brought you the story of people who have Western Digital My Book Internet connected hard getting them remotely erased by unknown threat actors. Well, Western Digital have put to a statement. And here’s what they had to say:

Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability. In some cases, the attackers have triggered a factory reset that appears to erase all data on the device.

We are reviewing log files which we have received from affected customers to further characterize the attack and the mechanism of access. The log files we have reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries. This indicates that the affected devices were directly accessible from the Internet, either through direct connection or through port forwarding that was enabled either manually or automatically via UPnP.

Additionally, the log files show that on some devices, the attackers installed a trojan with a file named “.nttpd,1-ppc-be-t1-z”, which is a Linux ELF binary compiled for the PowerPC architecture used by the My Book Live and Live Duo. A sample of this trojan has been captured for further analysis and it has been uploaded to VirusTotal.

Our investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised. As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning.

But what’s interesting is that this statement references this CVE number: CVE-2018-18472. This was something that I mentioned in my original report on this issue as I speculated that this could be the cause of this incident. Western Digital has seemingly confirmed that. Which means that by not patching this issue when it was first disclosed, Western Digital has in effect created this problem for themselves. That’s something to keep in mind when users who were affected by this issue start suing Western Digital. Because you know that the lawsuit is coming.

Leave a Reply

%d bloggers like this: