![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Interesting stuff. It might have been hack squad versus hack squad warfare!
There were two flaws present in the code on the WD drives. Now, keep in mind that the drive must have a CPU and an operating system to serve up files on the internet: it has to be an intelligent device. And what does this mean for hack squads? BOTNET! As I said, there were two exploits in the OS on the wiped drives, either one was sufficient to compromise the drive and make it a slave for the botnet, which means drives were probably subservient for several years.
Now, here's the sad bit. One of the flaws in the code was particularly tragic: it had the code to enforce a strong password, and for reasons unknown - it was commented out. Completely nullified. So if you were able to get in and study this code, it was trivial to access full admin privileges on the drive. And all you needed to do was network map to find these drives as they had to be publicly accessible to fulfill their role as storage available across the internet.
It turns out you only need one of these exploits to seize control of the drive, not both.
So why would you need access to both?
Back to the second flaw. There is a rumor going 'round that another gang wanted a piece of this WD drive botnet army. They couldn't get access to it, but they could screw over the first gang. So they launched an attack via the second flaw and did a reset on all the drives to deny the first gang access to their botnet army.
It is a theory that has popped up, a possible explanation for why the second hole was exploited by different IP addresses than the first hole.
There's some deeper bad news.
There's a White Hat hacking contest called Pawn2Own, where good guy hackers try to crack the latest in hardware and software, and if they are the first among the competing groups to succeed, they get the hardware and a cash prize. As part of the contest terms, they turn over their exploits to the companies involved so they can toughen their systems. A group was going to go to Japan a couple of years ago with a great hack against Western Digital's Cloud OS 3, and right before the contest WD released their OS 5 against which their hack didn't work. Bad luck for them. Still, they sent their documentation and code to WD for them to fix OS 3.
Care to guess whether or not OS 3 was ever patched?
There's an unknown number of Cloud OS 3 installations out there with weak and exploitable operating systems, that cannot or will not be updated. And WD's answer is 'they should update to 5'. So odds are that we're going to hear the exact same story in the not too distant future.
And believe it or not, there's some amazingly good news.
For people whose drives have been wiped, and this is truly amazing, Western Digital has retained a data recovery service and is providing that service for people with wiped drives FOR FREE!
Data recovery is a VERY expensive service, we explored it when we had a RAID array break at a place I once worked at: they charged a ton and recovered nothing worthwhile, but this was about 20 years ago, hopefully things have improved since then. I have read that in many cases that after the wipe, people's directory trees were intact, which leaves a little hope that the files are there, that just the directory information was clobbered. So people might get lucky.
We shall see.
https://arstechnica.com/gadgets/2021/06/hackers-exploited-0-day-not-2018-bug-to-mass-wipe-my-book-live-devices/
https://krebsonsecurity.com/2021/07/another-0-day-looms-for-many-western-digital-users/
There were two flaws present in the code on the WD drives. Now, keep in mind that the drive must have a CPU and an operating system to serve up files on the internet: it has to be an intelligent device. And what does this mean for hack squads? BOTNET! As I said, there were two exploits in the OS on the wiped drives, either one was sufficient to compromise the drive and make it a slave for the botnet, which means drives were probably subservient for several years.
Now, here's the sad bit. One of the flaws in the code was particularly tragic: it had the code to enforce a strong password, and for reasons unknown - it was commented out. Completely nullified. So if you were able to get in and study this code, it was trivial to access full admin privileges on the drive. And all you needed to do was network map to find these drives as they had to be publicly accessible to fulfill their role as storage available across the internet.
It turns out you only need one of these exploits to seize control of the drive, not both.
So why would you need access to both?
Back to the second flaw. There is a rumor going 'round that another gang wanted a piece of this WD drive botnet army. They couldn't get access to it, but they could screw over the first gang. So they launched an attack via the second flaw and did a reset on all the drives to deny the first gang access to their botnet army.
It is a theory that has popped up, a possible explanation for why the second hole was exploited by different IP addresses than the first hole.
There's some deeper bad news.
There's a White Hat hacking contest called Pawn2Own, where good guy hackers try to crack the latest in hardware and software, and if they are the first among the competing groups to succeed, they get the hardware and a cash prize. As part of the contest terms, they turn over their exploits to the companies involved so they can toughen their systems. A group was going to go to Japan a couple of years ago with a great hack against Western Digital's Cloud OS 3, and right before the contest WD released their OS 5 against which their hack didn't work. Bad luck for them. Still, they sent their documentation and code to WD for them to fix OS 3.
Care to guess whether or not OS 3 was ever patched?
There's an unknown number of Cloud OS 3 installations out there with weak and exploitable operating systems, that cannot or will not be updated. And WD's answer is 'they should update to 5'. So odds are that we're going to hear the exact same story in the not too distant future.
And believe it or not, there's some amazingly good news.
For people whose drives have been wiped, and this is truly amazing, Western Digital has retained a data recovery service and is providing that service for people with wiped drives FOR FREE!
Data recovery is a VERY expensive service, we explored it when we had a RAID array break at a place I once worked at: they charged a ton and recovered nothing worthwhile, but this was about 20 years ago, hopefully things have improved since then. I have read that in many cases that after the wipe, people's directory trees were intact, which leaves a little hope that the files are there, that just the directory information was clobbered. So people might get lucky.
We shall see.
https://arstechnica.com/gadgets/2021/06/hackers-exploited-0-day-not-2018-bug-to-mass-wipe-my-book-live-devices/
https://krebsonsecurity.com/2021/07/another-0-day-looms-for-many-western-digital-users/
