After Western Digital My Book Live owners around the world reported that their devices were wiped remotely overnight, the company issued a statement blaming a specific vulnerability (CVE-2021-35941) for the event. An external investigation conducted by Ars Technica and Derek Abdine (CTO at security firm Censys) has revealed, however, that the bad actors exploited another undocumented vulnerability in a file aptly named system_factory_restore.
Usually, users would have to type in their passwords to be able to perform factory resets on their devices. Indeed, the script in the file contains lines to password protect the reset command. However, someone in Western Digital "commented out" or, in non-technical parlance, canceled out the command by adding the double / character at the beginning of each line. HD Moore, a security expert, explained to Ars that this doesn't make things look good for the company. "It’s like they intentionally enabled the bypass," Moore said, since the attackers would have to know the format of the script that triggers the reset to exploit the vulnerability.
Devices that were hacked using the CVE-2021-35941 vulnerability were infected with malware, and in at least one case, it was malware that makes a device part of a botnet. Since turning My Book Live storage devices into botnets and then wiping them clean makes no sense, Abdine's theory is that one hacker exploited the CVE-2021-35941 vulnerability. After that, a second (possibly rival) hacker exploited the previously unknown reset vulnerability to gain control of the devices, which were then made part of a botnet, or to undo the first one's work.
A Western Digital rep told Ars: "We can confirm that in at least some of the cases, the attackers exploited the command injection vulnerability (CVE-2018-18472) followed by the factory reset vulnerability. It’s not clear why the attackers exploited both vulnerabilities." CVE-2018-18472 is a command execution vulnerability discovered in 2018 by security researchers Paulos Yibelo and Daniel Eshetu.
Either way, this event just goes to show that the My Book Live storage devices aren't as secure as anybody would like at this point. Those who still own it should heed Western Digital's advice and disconnect it from the internet as soon as possible.