Western Digital My Book Live users around the globe reported that their devices were remotely wiped overnight. The company released a statement, blaming the vulnerability (CVE-20235941). Ars Technica's CTO, Derek Abdine, has discovered that bad actors exploited a second undocumented vulnerability, system_factory_restore, in an external investigation.Users would normally have to enter their passwords in order to factory reset their devices. The script contained lines to password-protect the reset command. Western Digital added the double / character to the end of each line, or "commented out", as the case may be. Ars spoke with HD Moore, a security expert. He explained that this doesn’t make the situation look good for the company. Moore stated that it was like they had deliberately enabled the bypass. The attackers would need to have the script to trigger the reset in order to exploit the vulnerability.Hackers used the CVE-20235941 vulnerability to infect devices. In at least one instance, malware was installed that makes devices part of a botnet. Abdine believes that one hacker exploited CVE-2021-35941 to turn My Book Live storage devices into botnets, and then wipe them clean. The reset vulnerability was then exploited by a second hacker (possibly a rival) to gain control over the devices. This allowed them to be made part of a botnet or undo the previous one's work.This event, regardless of its outcome, just shows that My Book Live storage devices may not be as secure as we would like. Western Digital advises those who have it to disconnect it from the internet immediately.
