About a week ago, many owners of the external hard drive product My Book Live woke up to discover that all of their data had been wiped from the device. It was quickly assumed that the products were the victim of a malicious hacking campaign.
Unlike other external hard drives, My Books are designed to be hooked up to home networks via an Ethernet jack so that all of the devices on a network can access the data it stores. After news of the wipeouts began popping up online, Western Digital, the company that produces the drives, quickly put out a statement warning users about mass exploitation and asking that they disconnect their devices to avoid potential compromise.
There was immediately some confusion, however, over what the purpose of such a campaign might be. Why would criminals break into so many storage devices only to erase the data instead of stealing it?
Now, it would appear that a theory has emerged: the product was the victim of not just one cybercriminal group, but two.
Ars Technica reports that there were two different security flaws within the My Book Live products which allowed hackers to both get inside the devices and execute a command that factory reset them, effectively purging all of the data they had stored.
In its initial statement, Western Digital claimed that the hackers got in through a specific vulnerability that had been discovered in 2018. That security flaw had never been patched, because the company stopped supporting the product some years prior to its discovery. However, the company expressed confusion over why data was being wiped out.
“We do not yet understand why the attacker triggered the factory reset; however, we have obtained a sample of an affected device and are investigating further,” the company said at the time.
Researchers with security firm Censys have since offered a possible explanation: One cybercriminal group was likely attempting to wrangle control of the devices away from another group.
Censys claims the evidence suggests that one hacking campaign “mass exploited” the devices in an effort to make them “join a botnet”—a large, interconnected web of compromised devices that can be used to steal data or engage in other nefarious activities. However, a different group may have subsequently interjected itself—in an effort to wrest control of the botnet away from the first group, researchers write.
“It could be an attempt at a rival botnet operator to take over these devices or render them useless (it is likely that the username and password are reset to their default of admin/admin, allowing another attacker to take control), or someone who wanted to otherwise disrupt the botnet which has likely been around for some time, since these issues have existed since 2015,” Censys researchers write.
Furthermore, researchers seem to imply that someone at Western Digital made some odd choices that may have ultimately allowed some of that hacking to take place. Researchers write that one of the company’s developers cancelled (also called “commenting out,” in cyber parlance) an authentication process which ultimately allowed the devices to be reset in the way that they were.
“The vendor commenting out the authentication in the system restore endpoint really doesn’t make things look good for them,” HD Moore, a security expert, told Ars Technica. “It’s like they intentionally enabled the bypass.”
Very weird indeed. Whatever is going on, anyone who owns a My Book Live and hasn’t for some reason yanked the cord out of the wall yet should do so immediately.