WD My Book Live NAS under active attack – how to not end with the wiped up device

Welcome to the Xopero Security Center! Another ransomware news? No, not this time. However, data can be lost in more ways than one. For example, as a result of an unplanned factory restore. No more than half a week ago WD My Book NAS users fell victim to such a massive “update” or rather some form of a cyberattack. As always, more information can be found below. In this review: Dell is having a serious problem. The pre-installed firmware updater available on their computers may expose almost 30 million users or if you like – 128 models of this manufacturer’s devices, to attack. Also: Microsoft tracks a new BazaCall malware campaign using a fake call center to trick you, and Linux Marketplace bugs allow wormable attacks. Let’s begin.

WD My Book NAS devices remotely wiped clean worldwide

Imagine that – you wake up, arrive at the office, and find out that your WD My Book NAS device has been mysteriously factory reset and all of your files deleted. Seems impossible? Well, it’s the story that happened to WD users from all around the world last week. 

WD My Book is a network-attached storage device that looks like a small vertical book that you can stand on your desk. The WD My Book Live app allows owners to access their files and manage their devices remotely, even if the NAS is behind a firewall or router.

On Thursday last week users could no longer log into the device via a browser or an app. When they attempted to log in via the Web dashboard, the device stated that they had an “Invalid password.” MyBook logs showed that the devices received a remote command to perform a factory reset starting at around 3 PM on Wednesday and through the night.

Unlike other NAS devices, which are commonly connected to the Internet and exposed to attacks (f.ex. QLocker Ransomware), the Western Digital My Book devices are stored behind a firewall and communicate through the My Book Live cloud servers to provide remote access. So some users have concerns that WD’s servers were hacked and allowed a threat actor to push out a remote factory reset command to all devices connected to the service. If so, it’s strange that no one has reported ransom notes or other threats. 

For the moment of writing, there is no clear statement from WD. The company said that they are actively investigating the attacks but do not believe it was a compromise of their servers. They suggest that attacks were conducted after some of the My Book owners had their accounts compromised.

If you own a Western Digital My Book NAS device, it is strongly advised that you disconnect it from the network until we will learn more about what is going on. 

Update: Western Digital in its latest statement has determined that My Book Live and My Book Live Duo devices connected directly to the Internet are being targeted using a remote code execution vulnerability. Additionally, the log files show that on some devices, the attackers installed a trojan with a file named “.nttpd,1-ppc-be-t1-z”, which is a Linux ELF binary compiled for the PowerPC architecture used by the My Book Live and Live Duo. A sample of this trojan has been captured for further analysis and it has been uploaded to VirusTotal.


BIOSConnect – the preinstalled firmware updater puts 128 Dell models at risk

Recently discovered four flaws in Dell’s firmware security tool affect 128 recent models of computers, including desktops, laptops, and tablets. Researchers estimate that the vulnerabilities expose over 30 million devices in total.

The vulnerabilities show up in a Dell feature called BIOSConnect, which allows users to easily, and even automatically, download firmware updates. BIOSConnect is part of a broader Dell update and remote operating system management feature called SupportAssist. Update mechanisms are valuable targets for attackers because they can be tainted to distribute malware.

The four vulnerabilities the researchers discovered in BIOSConnect wouldn’t allow hackers to seed malicious Dell firmware updates to all users at once. However, they could be exploited to individually target victim devices and easily gain remote control of the firmware. Compromising a device’s firmware can give attackers full control of the machine, because firmware coordinates hardware and software, and runs as a precursor to the computer’s operating system and applications.

It’s worth to mention attackers couldn’t directly exploit the four BIOSConnect bugs from the open internet. They need to have a foothold into the internal network of victim devices. But, once an attacker has compromised firmware, they can likely remain undetected long-term inside a target’s networks. So it’s totally worth all that trouble.


Microsoft tracks new BazaCall malware campaign using a fake call center to trick you

Attackers use emails to prompt victims to call a fraudulent call center, where attackers instruct them to download a malicious file. That’s in short a new modus operandi of BazarCall, a criminal group that’s using malware called BazarLoader (also BazaLoader) to distribute ransomware and hunted by Microsoft Security Intelligence. 

The BazaCall campaigns use emails that instruct recipients to call a number to cancel their supposed subscription to a service. When victims call the number, they reach a fraudulent call center operated by attackers. They tell them to visit a website and download an Excel file in order to cancel the service. This file of course contains a malicious macro that downloads the payload. What is interesting, the phone numbers in the attackers’ emails change at least daily. 

The BazarLoader malware is designed to provide backdoor access to an infected Windows device. With this level of access, attackers can send other forms of malware, scan the target environment, and go after other vulnerable machines on the same network.

Microsoft’s security team has also observed the group using the Cobalt Strike penetration testing kit to steal credentials, including the Active Directory (AD) database. Cobalt Strike is frequently used for lateral movement on a network after an initial compromise. The AD theft is a big deal for the enterprise since it contains an organization’s identity and credential information.

Sources 12

Unpatched Linux Marketplace bugs allow wormable attacks – no patches in sight

PlingStore application is affected by an unpatched remote code-execution (RCE) vulnerability, which can be triggered from any website while the app is running – allowing for drive-by attacks.

What is a PlingStore exactly?

It is an installer and content-management application that acts as a consolidated digital storefront for the various aforementioned sites that offer Linux software and plugins. It allows users to download, install and apply desktop themes, icon themes, wallpapers, mouse cursors and so on directly using the “Install” button.

For possible attackers, Linux marketplace could be the biggest player but affected are all Pling-based markets – including AppImage Hub, Gnome-Look, KDE Discover App Store, Pling.com, and XFCE-Look.

The bug(s)

The stored XSS bug was first discovered affecting KDE Discover. Stored XSS, also known as persistent XSS, occurs when a malicious script is injected directly into a vulnerable web application. Unlike reflected XSS, a stored attack only requires that a victim visit a compromised web page. Attackers could exploit the bug to modify active listings or post new listings on Pling-based stores in the context of other users, resulting in a wormable XSS.

Besides the typical XSS implications, this would allow for a supply-chain attack XSS worm using a JavaScript payload. The damage can also be escalated to RCE. That’s because the application by design can install other applications, with a built-in mechanism to execute code on the OS level.

No patches in sight

Specialists from Positive Security, who discovered vulnerabilities attempted to contact Pling in February, with no luck. In the end, they decided to publicly disclose the issues.

One of the marketplaces, KDE Discover, was immediately responsive and published a patch and advisory in March. For now, users of Pling-based marketplaces should avoid using the PlingStore applications, and to log out of their accounts for the affected websites until the issues have been fixed. 


Do you have thirst for knowledge? There are ten more cybersecurity stories below

1. Virtual machines hide ransomware until the encryption process is done (Help Net Security)
2. REvil Ransomware Code Ripped Off by Rivals (Threat Post)
3. VMware fixes privilege escalation issue in VMware Tools for Windows (Security Affairs)
4. Zephyr OS Bluetooth vulnerabilities left smart devices open to attack (The Register)
5. How to tell if a website is safe (WeLiveSecurity)
6. 79% of Third-Party Libraries in Apps Are Never Updated (Dark Reading)
7. Spam Downpour Drips New IcedID Banking Trojan Variant (Threat Post)
8. Zyxel Warns Customers of Attacks on Security Appliances (Security Week)
9. Google warns: Watch out, this security update could break links to your Drive files (ZDNet)
10. Cisco ASA vulnerability actively exploited after exploit released (Bleeping Computer)