Western Digital network-attached storage (NAS) devices have suffered from yet another security breach. The attack occurred right after threat actors exploited two cybersecurity flaws in MyBook Live devices. In this blog article by Brian Krebs, learn about another zero-day vulnerability that exposed the Western Digital products operating on MyCloud OS 3 software. Interestingly, the flaw will remain unresolved for end-users that do not upgrade to the new operating system.
What’s the Catch?
Reportedly, a remote code execution flaw is persistent in all Western Digital NAS devices operating through MyCloud OS 3. The company has terminated its usage and advised its users to unplug MyBook Live from the internet for an uncertain period.
In 2020, researchers Radek Domanski and Pedro Ribeiro discovered MyBook vulnerabilities. The duo was ready to participate in the Pwn2Own hacking competition in Tokyo with their findings. However, right before the event, Western Digital introduced MyCloud OS 5 to fix the vulnerabilities. The masterstroke annulled the researchers’ only chance to participate in the Pwn2Own competition.
In February 2021, the duo released a detailed report on YouTube, emphasizing their discovery about Western Digital failings. Using the same information, the threat actors remotely initiated a firmware update using a blank password.
Meanwhile, in a statement to KrebsOnSecurity, Western Digital denied the allegations made by the researchers. The company declared that they received the research report post Pwn2Own Tokyo 2020. By that time, the flaw was already fixed with the MyCloud OS 5 update.
Western Digital continued ignoring questions about the vulnerabilities unearthed by researchers Domanski and Ribeiro. The company announced no further security updates for the MyCloud OS 3 firmware in its recent statement.
Acknowledging the same, researchers developed a patch to fix the MyCloud OS 3 security loopholes. Users need to update the software every time they reboot their MyCloud device. Western Digital refused to evaluate or support the security patch.
MyCloud devices make it easy for customers to access data from anywhere, anytime. However, the move may expose their data to cybersecurity threats. The incident would be similar to the recent mass-wipe of MyBook Live device content. Certainly, if hackers successfully manipulate MyCloud OS 3 vulnerabilities, Western Digital will end up paying its users for data recovery services. It would be a massive brand failure and financial loss for the company.
Click on the following link to read the original article: https://krebsonsecurity.com/2021/07/another-0-day-looms-for-many-western-digital-users/#more-56182