Dueling hackers may have caused mass WD My Book Live wipes

July 23's remote wiping of WD's My Book Live lineup had customers discovering deletion of files and backups, with the network storage appliance factory reset. While it was attributed to a malware attack of a vulnerability, analysis of the event suggests multiple elements were at play, including multiple vulnerabilities.

Security researchers discovered one vulnerability in the system factory restore file, where a PHP script performs a reset to default configurations and wipes data. While the feature typically would require a user password as authentication, the lines of code for the script were commented out, making them inoperable.

"The vendor commenting out the authentication in the system restore endpoint really doesn't make things look good for them," said Rumble CEO and security expert HD Moore to Ars Technica. "It's like they intentionally enabled the bypass."

The vulnerability was the second exploit attributed to the event, but was discovered only five days after the wiping took place.

The first vulnerability attributed to the wipes by WD itself was an exploit that was discovered in late 2018. However, since WD had stopped support for the My Book Live three years before the exploit's discovery, it was never fixed.

There is no clear explanation for the mass-wipes, and confusion reigns about why two different exploits were used when only the 2018 discovery was needed for root access. However, a theory has emerged that it could be due to there being two parties at work, not one.

Based on logs from affected devices, security firm Censys CTO Derek Abdine proposed that one hacker used the 2018 exploit to take control of the devices. That attacker modified a file for language configuration to prevent anyone else from exploiting the same vulnerability without a password, effectively preventing other hackers from gaining control via the same method.

Some devices analyzed by WD were infected with malware that enabled them to be used as part of a botnet, which lends credence to this theory.

The use of the other exploit is most likely another attacker, potentially a rival botnet operator, attempting to either take control of the exploited hardware for their own botnet, or making the storage devices useless for their competitor.

WD continues to advise users of the My Book Live range to disconnect the hardware from the internet as a precautionary measure. A fix appears unlikely, and requests by AppleInsider for comment regarding the matter have been ignored.

Keep up with everything Apple in the weekly AppleInsider Podcast — and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too.

If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.