Category Archives: Cyber Security News

Chrome, Firefox, Edge and Safari Plans to Disable TLS 1.0 and 1.1 in 2020

All major web browsers, including Google Chrome, Apple Safari, Microsoft Edge, Internet Explorer, and Mozilla Firefox, altogether today announced to soon remove support for TLS 1.0 (20-year-old) and TLS 1.1 (12-year-old) communication encryption protocols.

Developed initially as Secure Sockets Layer (SSL) protocol, Transport Layer Security (TLS) is an updated cryptographic protocol used to establish a secure and encrypted communications channel between clients and servers.

There are currently four versions of the TLS protocol—TLS 1.0, 1.1, 1.2 and 1.3 (latest)—but older versions, TLS 1.0 and 1.1, are known to be vulnerable to a number of critical attacks, such as POODLE and BEAST.

Since TLS implementation in all major web browsers and applications supports downgrade negotiation process, it leaves an opportunity for attackers to exploit weaker protocols even if a server supports the latest version.

All Major Web Browsers Will Remove TLS 1.0 and TLS 1.1 Support in 2020

According to the press releases published by four major companies, Google, Microsoft, Apple and Mozilla, their web browsers will completely drop TLS 1.0 and 1.1support by default in the first half of 2020.

TLS 1.2, which was released ten years ago to address weaknesses in TLS 1.0 and 1.1, has enjoyed wide adoption since then, and will thus be the default TLS version unless the availability of TLS 1.3, which is currently in the development stage.

According to Microsoft, as TLS 1.0 continues to age, many websites have already moved to newer versions of the protocol. Today 94 percent of sites already support TLS 1.2, while only less than one percent of daily connections in Microsoft Edge are using TLS 1.0 or 1.1.

Apple also says TLS 1.2 is the standard on its platforms and represents 99.6 percent of TLS connections made from Safari, while TLS 1.0 and 1.1 account for less than 0.36 percent of all connections.

Google could not agree more and says that today only 0.5 percent of HTTPS connections made by Chrome use TLS 1.0 or 1.1.

All the tech companies recommended websites that do not support TLS 1.2 or newer to move off of the old versions of the protocol as soon as possible and is practical.

Furthermore, the PCI Data Security Standard (PCI DSS) compliance also requires websites to disable SSL/TLS 1.0 implementation by June 30, 2018.

Besides these tech giants, Gitlab today also announced to deprecate support for TLS 1.0 and TLS 1.1 on its website and API infrastructure by the end of 2018.

You can also manually disable older TLS versions on Google Chrome by opening Settings → Advanced Settings → Open Proxy Settings → Click ‘Advanced’ Tab → Under ‘Security’ section uncheck TLS 1.0 and 1.1 and then save.

Google to Encrypt Android Cloud Backups With Your Lock Screen Password

In an effort to secure users’ data while maintaining privacy, Google has announced a new security measure for Android Backup Service that now encrypts all your backup data stored on its cloud servers in a way that even the company can’t read it.

Google allows Android users to automatically backup their essential app data and settings to their Google account, allowing them to simply restore it when required, instead of re-configuring all the apps after formatting or switching to a new phone.

However, until now your backup data was not encrypted and visible to Google, and now the company is going to change its storage procedure.

Starting with Android Pie, Google is going to encrypt your Android device backup data in the following way:

Step 1: Your Android device will generate a random secret key (not known to Google),

Step 2: The secret key will then get encrypted using your lockscreen PIN/pattern/passcode (not known to Google),

Step 3: This passcode-protected secret key will then securely sent to a Titan security chip on Google’s servers,

So, your Android back data will get encrypted or decrypted only if the lockscreen passcode get authorized through the Titan security chip.

In other words, the Titan security key will not decrypt any of your backup data unless it detects the lockscreen passcode you have used to request for decryption.

To prevent brute force attacks, Google’s Titan chip will permanently block access to the backup data if someone inputs incorrect passcode combinations several times in an attempt to guess it.

Google also hired cybersecurity and risk mitigation firm NCC Group to perform a full security audit of the new Android Cloud Backup/Restore feature. NCC discovered a few issues, which were quickly fixed by the company.

Google has not yet confirmed that which Android smartphones will be able to use this additional layer of security, but it is clear that the device must be running the latest Android 9 Pie operating system.

Microsoft October Patch Tuesday Fixes 12 Critical Vulnerabilities

Microsoft has just released its latest monthly Patch Tuesday updates for October 2018, fixing a total of 49 security vulnerabilities in its products.

This month’s security updates address security vulnerabilities in Microsoft Windows, Edge Browser, Internet Explorer, MS Office, MS Office Services and Web Apps, ChakraCore, SQL Server Management Studio, and Exchange Server.

Out of 49 flaws patched this month, 12 are rated as critical, 35 are rated as important, one moderate, and one is low in severity.

Three of these vulnerabilities patched by the tech giant are listed as “publicly known” at the time of release, and one flaw is reported as being actively exploited in the wild.

Windows Update Patches An Important Flaw Under Active Attack

According to the Microsoft advisory, an undisclosed group of attackers is actively exploiting an important elevation of privilege vulnerability (CVE-2018-8453) in Microsoft Windows operating system to take full control over the targeted systems.

This flaw exists when the Win32K (kernel-mode drivers) component fails to properly handle objects in memory, allowing an attacker to execute arbitrary code in the kernel mode using a specially crafted application.

This month’s updates also patches a critical remote code execution vulnerability in Microsoft Windows and affects all supported versions of Windows, including Windows 10, 8.1, 7, and Server 2019, 2016, 2012, and 2008.

The vulnerability (CVE-2018-8494) resides in the parser component of the Microsoft XML Core Services (MSXML), which can be exploited by passing malicious XML content via user input.

An attacker can remotely execute malicious code on a targeted computer and take full control of the system just by convincing users to view a specially crafted website designed to invoke MSXML through a web browser.

Microsoft Patches Three Publicly Disclosed Flaws

The details of one of the three publicly disclosed vulnerabilities was revealed late last month by a security researcher after the company failed to patch the bug within the 120-days deadline.

The vulnerability, marked as important and assigned CVE-2018-8423, resides in Microsoft Jet Database Engine that could allow an attacker to remotely execute malicious code on any vulnerable Windows computer.

For proof-of-concept exploit code and more details about this vulnerability you can read our article.

Rest two publicly disclosed vulnerabilities are also marked as important and reside in Windows Kernel (CVE-2018-8497) and Azure IoT Hub Device Client SDK (CVE-2018-8531), which lead to privilege escalation and remote code execution respectively.

The security updates also include patches for 9 critical memory corruption vulnerabilities—2 in Internet Explorer, 2 in Microsoft Edge, 4 in Chakra Scripting Engine, and 1 in Scripting Engine—all leads to remotely execution of code on the targeted system.

Besides this, Microsoft has also released an update for Microsoft Office that provides enhanced security as a defense in depth measure.

Users and system administrators are strongly advised to apply these security patches as soon as possible to keep hackers and cybercriminals away from taking control of their systems.

For installing security patch updates, directly head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.

Just Answering A Video Call Could Compromise Your WhatsApp Account

What if just receiving a video call on WhatsApp could hack your smartphone?

This sounds filmy, but Google Project Zero security researcher Natalie Silvanovich found a critical vulnerability in WhatsApp messenger that could have allowed hackers to remotely take full control of your WhatsApp just by video calling you over the messaging app.

The vulnerability is a memory heap overflow issue which is triggered when a user receives a specially crafted malformed RTP packet via a video call request, which results in the corruption error and crashing the WhatsApp mobile app.

Since the vulnerability affect RTP (Real-time Transport Protocol) implementation of Whatsapp, the flaw affects Android and iOS apps, but not WhatsApp Web that relies on WebRTC for video calls.

Silvanovich also published a proof-of-concept exploit, along with the instructions for reproducing the WhatsApp attack.

Although the proof-of-concept published by Silvanovich only triggers memory corruption, another Google Project Zero researcher, Tavis Ormandy, claims that “This is a big deal. Just answering a call from an attacker could completely compromise WhatsApp.”

In other words, hackers only need your phone number to completely hijack your WhatsApp account and spy on your secret conversations.

Silvanovich discovered and reported the vulnerability to the WhatsApp team in August this year. WhatsApp acknowledged and patched the issue on September 28 in its Android client and on October 3 in its iPhone client.

So if you have not yet updated your WhatsApp for Android or WhatsApp for iOS, You should consider upgrading now.

Google+ is Shutting Down After a Vulnerability Exposed 500,000 Users’ Data

Google is going to shut down its social media network Google+ after the company suffered a massive data breach that exposed the private data of hundreds of thousands of Google Plus users to third-party developers.

According to the tech giant, a security vulnerability in one of Google+’s People APIs allowed third-party developers to access data for more than 500,000 users, including their usernames, email addresses, occupation, date of birth, profile photos, and gender-related information.

Since Google+ servers do not keep API logs for more than two weeks, the company cannot confirm the number of users impacted by the vulnerability.

However, Google assured its users that the company found no evidence that any developer was aware of this bug, or that the profile data was misused by any of the 438 developers that could have had access.

The vulnerability was open since 2015 and fixed after Google discovered it in March 2018, but the company chose not to disclose the breach to the public—at the time when Facebook was being roasted for Cambridge Analytica scandal.

Though Google has not revealed the technical details of the security vulnerability, the nature of the flaw seems to be something very similar to Facebook API flaw that recently allowed unauthorized developers to access private data from Facebook users.

Besides admitting the security breach, Google also announced that the company is shutting down its social media network, acknowledging that Google+ failed to gain broad adoption or significant traction with consumers.

In response, the company has decided to shut down Google+ for consumers by the end of August 2019. However, Google+ will continue as a product for Enterprise users.

Google Introduces New Privacy Controls Over Third-Party App Permissions

As part of its “Project Strobe,” Google engineers also reviewed third-party developer access to Google account and Android device data; and has accordingly now introduced some new privacy controls.

When a third-party app prompts users for access to their Google account data, clicking “Allow” button approves all requested permissions at once, leaving an opportunity for malicious apps to trick users into giving away powerful permissions.

But now Google has updated its Account Permissions system that asks for each requested permission individually rather than all at once, giving users more control over what type of account data they choose to share with each app.

Since APIs can also allow developers to access users’ extremely sensitive data, like that of Gmail account, Google has limited access to Gmail API only for apps that directly enhance email functionality—such as email clients, email backup services and productivity services.


Bank Servers Hacked to Trick ATMs into Spitting Out Millions in Cash

The US-CERT has released a joint technical alert from the DHS, the FBI, and Treasury warning about a new ATM scheme being used by the prolific North Korean APT hacking group known as Hidden Cobra.

Hidden Cobra, also known as Lazarus Group and Guardians of Peace, is believed to be backed by the North Korean government and has previously launched attacks against a number of media organizations, aerospace, financial and critical infrastructure sectors across the world.

The group had also reportedly been associated with the WannaCry ransomware menace that last year shut down hospitals and big businesses worldwide, the SWIFT Banking attack in 2016, as well as the Sony Pictures hack in 2014.

Now, the FBI, the Department of Homeland Security (DHS), and the Department of the Treasury have released details about a new cyber attack, dubbed “FASTCash,” that Hidden Cobra has been using since at least 2016 to cash out ATMs by compromising the bank server.

FASTCash Hack Fools ATMs into Spitting Out Cash

The investigators analyzed 10 malware samples associated with FASTCash cyber attacks and found that attackers remotely compromise payment “switch application servers” within the targeted banks to facilitate fraudulent transactions.

Switch application server is an essential component of ATMs and Point-of-Sale infrastructures that communicates with the core banking system to validate user’s bank account details for a requested transaction.

Whenever you use your payment card in an ATM or a PoS machine in a retailer shop, the software asks (in ISO 8583 messages formats) the bank’s switch application server to validate the transaction—accept or decline, depending upon the available amount in your bank account.

However, Hidden Cobra attackers managed to compromise the switch application servers at different banks, where they had accounts (and their payment cards) with minimal activity or zero balances.

The malware installed on the compromised switch application servers then intercepts transaction request associated with the attackers’ payment cards and responds with fake but legitimate-looking affirmative response without actually validating their available balance with the core banking systems, eventually fooling ATMs to spit out a large number of cash without even notifying the bank.

Hidden Cobra threat actors are using the FASTCash scheme to target banks in Africa and Asia, though the U.S. authorities are still investigating the FASTCash incidents to confirm whether the attack targets banks in the United States.

How Attackers Managed to Compromise Banks’ Switch Application Servers

Though the initial infection vector used to compromise Bank networks is unknown, the U.S. authorities believe that the APT threat actors used spear-phishing emails, containing malicious Windows executable, against employees in different banks.

Once opened, the executable infected bank employees’ computers with Windows-based malware, allowing hackers to move laterally through a bank’s network using legitimate credentials and deploy malware onto the payment switch application server.

Though most compromised switch application servers were found running unsupported IBM Advanced Interactive eXecutive (AIX) operating system versions, investigators found no evidence that attackers exploited any vulnerability in AIX operating system.

US-CERT recommended banks to make two-factor authentication mandatory before any user can access the switch application server, and use best practices to protect their networks.

US-CERT has also provided a downloadable copy of IOCs (indicators of compromise), to help you block them and enable network defenses to reduce exposure to any malicious cyber activity by the Hidden Cobra hacking group.

In May 2018, the US-CERT also published an advisory alerting users of two different malware—Remote Access Trojan (RAT) known as Joanap and Server Message Block (SMB) worm called Brambul—linked to Hidden Cobra.

Last year, the DHS and the FBI also issued an alert describing Hidden Cobra malware Delta Charlie—a DDoS tool that they believed North Korea uses to launch distributed denial-of-service attacks against its targets.

Other malware linked to Hidden Cobra in the past includes Destover, Wild Positron or Duuzer, and Hangman with sophisticated capabilities, like DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware.


16-Year-Old Boy Who Hacked Apple’s Private Systems Gets No Jail Time

An Australian teenager who pleaded guilty to break into Apple’s private systems multiple times over several months and download some 90GB of secure files has avoided conviction and will not serve time in prison.

An Australian Children’s Court has given the now 19-year-old adult defendant, who was 16 at the time of committing the crime, a probation order of eight months, though the magistrate made him understand how serious his offense was.

The teen, whose cannot be named under a local law that protects the identity of juveniles, told the court that he hacked into Apple’s systems because he was a huge fan of the company and “dreamed of” working for the technology giant.

The “Hacky Hack Hack” Folder

The teen hacked into Apple’s servers not once, but numerous times over the course of more than a year—between June 2015 and November 2016, and in April 2017.

As soon as the tech giant detected his presence on their servers, it blocked him and contacted the Federal Bureau of Investigation (FBI), which took the help of the Australian Federal Police (AFP), who subsequently raided his home last year and arrested him.

The AFP also seized two Apple laptops, a mobile phone, and a hard drive that contained a folder named “Hacky Hack Hack Methods Exclude,” including 12 files on methods to infiltrate and bypass Apple’s security.

Australian investigators recovered 90GB of data “sensitive both from a privacy and commercial point of view,” including extremely secure authorized keys used to grant login access to users, as well as access multiple user accounts, that he copied from Apple’s systems.

Here’s How The Boy Hacked Into Apple’s Servers

According to the magistrate, the teenager exploited a virtual private network (VPN) to connect remotely to Apple’s internal systems, according to Bloomberg.

With the help of his friend, the teenager then sent a malicious script to the system which created a secure shell tunnel that allowed him to access systems and bypass firewalls and eventually enabling them to download data.

Apple reportedly detected the intrusion and blocked his access in November 2016, but the teenager regained access last year in April.

The teen was pleaded guilty to two charges in August this year, but no conviction was recorded against him since the magistrate told the court that he had shown remorse and had cooperated with law enforcement.

Instead of jail time, the defendant would only be given eight-month probation.

Apple assured its customers that no personal data was compromised in the hack.

The young hacker has since been accepted into university to study criminology and cyber safety.

Prosecutor says the investigation into the case is still ongoing and could result in other people being charged, including a second teenager who helped him in committing the crime.

VPNFilter Router Malware Adds 7 New Network Exploitation Modules

Security researchers have discovered even more dangerous capabilities in VPNFilter—the highly sophisticated multi-stage malware that infected 500,000 routers worldwide in May this year, making it much more widespread and sophisticated than earlier.

Attributed to Russia’s APT 28, also known as ‘Fancy Bear,’ VPNFilter is a malware platform designed to infect routers and network-attached storage devices from 75 brands including Linksys, MikroTik, Netgear, TP-Link, QNAP, ASUS, D-Link, Huawei, ZTE, Ubiquiti, and UPVEL.

In May, when VPNFilter infected half a million routers and NAS devices in 54 countries, the FBI seized a key command-and-control domain used by the malware and asked people to reboot their routers.

Initially, it was found that VPNFilter had been built with multiple attack modules that could be deployed to the infected routers to steal website credentials and monitor industrial controls or SCADA systems, such as those used in electric grids, other infrastructure and factories.

However, in a new report published by Cisco’s Talos Intelligence security team, researchers said they delved into recent VPNFilter samples and found seven new “third-stage” modules that can even exploit the networks infected routers were attached to, eventually allowing attackers to steal data and create a covert network for their command and control server for future attacks.

What is VPNFilter Router Malware?

Before going into the details of seven new third-stage modules, let’s first know the infrastructure of this multi-stage VPNFilter malware.

Unlike most other malware that targets routers, the first stage of the VPNFilter malware was designed to persist through a reboot, gaining a persistent foothold on the infected device and enabling the deployment of the second stage malware.

The second stage module of VPNFilter was not persistent, which was designed to download additional modules onto the infected routers. This module also contains a killswitch, where the malware deliberately kills itself, rendering the infected router useless.

The third stage of VPNFilter is comprised of modules designed to expand the capabilities of the second stage, like packet sniffer, communication over Tor anonymizing network, and exploit delivery to compromised devices via JavaScript injection.

List of Newly Discovered VPNFilter Modules

Now, here’s the list of seven new third stage modules recently uncovered by Talos researchers that add significant new functionality to the VPNFilter malware:

  • htpx — This module redirects and inspects HTTP communications with an aim to identify the presence of Windows executables in the network traffic. Researchers believe, with moderate confidence, that this module could be leveraged by attackers to inject malicious code into binary files on-the-fly as they pass through compromised devices.
  • ndbr — This module is a multifunctional secure shell (SSH) utility that allows a remote attacker to turn compromised device into an SSH server, an SSH client, or an NMAP port scanner. Using SCP protocol, the ndbr utility can also allow transfer of files.
  • nm — This is a network mapping module that can be used to perform reconnaissance from the compromised devices. Besides this, it also uses the MikroTik Network Discovery Protocol (MNDP) to locate any other MikroTik devices on the local network.
  • netfilter — This module is a denial-of-service utility that allows an attacker to set IPtables rule into firewall and block sets of network addresses.
  • portforwarding — This module forwards network traffic to a specified infrastructure, allowing attackers to intercept network connections.
  • socks5proxy — This module sets up a SOCKS5 proxy on the compromised device, allowing attackers to build a distributed network of proxies that could be leveraged in future attacks. It uses no authentication and is hardcoded to listen on TCP port 5380.
  • tcpvpn — This module sets up a Reverse-TCP VPN on the compromised device, allowing remote attackers to access internal networks behind infected devices.

Besides these 7 new modules, Talos also discovered that the attackers are using MikroTik administration utility called Winbox—a small native Win32 utility that allows administrators to easily set up their routers using a Web-based interface—to infect MikroTik routers.

Talos researchers released “Winbox Protocol Dissector” plugin on GitHub to let network engineers detect and analyze Winbox traffic, captured using Wireshark like tools, and monitor use of the exploited Mikrotik protocol.

Since users can get rid of the second stage attack by rebooting their routers, the first stage still remains behind, making it possible for attackers to re-establish connections to the rebooted device and reinstall the second stage of VPNFilter remotely.

Thankfully, researchers believe that VPNFilter has been fully neutralized but, it’s hard to know the future intentions of threat actors who created this sophisticated multi-stage, all-in-one malware package.

App protection amid evolving app landscape, automated attacks

The typical modern organization, according to a joint F5-Ponemon global study, uses 765 web applications, of which, 34% are considered mission critical.

Impact-wise, when apps are attacked, 81% of respondents to the F5 Labs 2018 Application Protection Report, rated loss of availability or denial of service as “the most painful”, followed by breach of confidential or sensitive information (77%); tampering with an application (73%); and loss of personally identifiable information of customers, consumers, and employees (64%). Injection attacks against app services, account access hijacking and denial-of-service attacks have been most prevalent.

Cloud-augmented security

An army of attacker-controlled devices or thingbots are increasingly forming the attackers’ infrastructure. “It definitely is right now for distributed denial of service (DDoS),” said David Holmes, F5’s global security evangelist.

Presently, when volumetric DDoS attacks are detected by F5’s on-premises solutions, customers of the cloud-based F5 Silverline DDoS Protection will use a Hybrid Signaling feature to alert its Security Operations Center (SOC) in real-time and reroute traffic for cloud-based scrubbing. “Most DDoS attacks these days are minutes long, not days long,” Holmes added. “It might not be a great value to send somebody an alert [manually] about a giant attack coming and they don’t check their mail for 15 minutes and by the time they check it, it’s over.

“Once an organization gets to a certain size, having a DDoS strategy in place is critical. And depending on the architecture, the most obvious thing is to contract somebody like F5 to be the scrubber because [since] a year ago, we were able to mitigate a 2TB attack. Obviously, even if it is just 1Tb, only service providers can absorb that. A typical enterprise is just not going to be able to.”

The Hybrid Signaling capability can also be leveraged with the F5 BIG-IP Application Security Manager (ASM) web application firewall (WAF) on premises to determine source IP addresses that are bad actors. These can be blocked in the cloud with Silverline DDoS Protection.

WAFs remain the top means for securing applications, along with application scanning and penetration testing. Although they are not designed for bot detection and their policy-based approaches cannot adapt or scale to defend against large-scale bot attacks, it is still a preventive security control that significantly reduces the risk of web vulnerability exploitation. WAFs can be further complemented by other security controls, such as vulnerability scanning, continuous monitoring, and collaboration with the development team.

This is why F5’s standalone solutions, sitting at the intersection of all application traffic in and out of the organization, can deliver rich visibility into context, with which organizations can then apply critical WAF, DDoS prevention, and access management capabilities against advanced threats.

For example, the virtualized F5 Advanced WAF can be deployed directly from public cloud providers such as Azure or Amazon Web Services (AWS). Its Layer 7 behavioral DoS detection and mitigation enable a hands-off automated protection cycle that is continually optimized and refined.

Similarly, its proactive bot defense allows session-level detection and blocking of automated threats. On the client side, there’s protection against credential stuffing – automated attacks that use previously stolen credentials – while F5 Anti-Bot Mobile SDK integration helps to counter sophisticated bot attacks on mobile API endpoints.

TheF5 Advanced WAF can be augmented with the F5 DDoS Hybrid Defender, which has been updated to detect and defend against multi-vector and volumetric DDoS attacks across network, session, and application layers while integrating offsite cloud scrubbing.

With applications being principal gateways to critical data and lack of visibility in the application layer among the top barriers to achieving strong application security, F5 have also delivered advanced access controls (F5 Access Manager) and dedicated Secure Sockets Layer visibility with orchestration capabilities (F5 SSL Orchestrator) to help thwart sophisticated cyber attacks.

App-first approach

When Japan-based Golf Digest Online (GDO), a specialty online retailer for golfers, decided to completely transition its infrastructure into the cloud with a move to Amazon Web Services (AWS), it chose the virtual editions of several F5 products to ensure an incident-free transition.

After deploying BIG-IP ASM on AWS to screen all incoming traffic, GDO has attained the same high level of security on AWS that it had with its on-premises system. The ability to continue using an F5 partner’s BIG-IP ASM-based SOC services also offered a relief for its security resources.

Similarly, financial services company, The Motley Fool, which has been using the F5 BIG-IP Local Traffic Manager (LTM) for load balancing and availability for years, augmented its existing infrastructure with the F5 Silverline Web Application Firewall.

Western Digital’s My Cloud NAS Devices Turn Out to Be Easily Hacked

Security researchers have discovered an authentication bypass vulnerability in Western Digital’s My Cloud NAS devices that potentially allows an unauthenticated attacker to gain admin-level control to the affected devices.

Western Digital’s My Cloud (WD My Cloud) is one of the most popular network-attached storage (NAS) devices which is being used by businesses and individuals to host their files, as well as backup and sync them with various cloud and web-based services.

The WD My Cloud devices let users not only share files in a home network but its private cloud feature also allows them to access their data from anywhere around the world at any time.

However, security researchers at Securify have discovered an authentication bypass vulnerability on the WD My Cloud NAS boxes that could allow unauthenticated attackers with network access to the device to escalate their privileges to admin-level without needing to provide a password.

This would eventually allow attackers to run commands that would typically require administrative privileges and gain complete control of the affected NAS device, including their ability to view, copy, delete and overwrite any files that are stored on the device.

Here’s How Easy it is to Hack a WD My Cloud Storage Boxes

The vulnerability, designated CVE-2018-17153, resides in the way WD My Cloud creates an admin session tied to an IP address.

By simply including the cookie username=admin to an HTTP CGI request send by an attacker to the device’s web interface, the attacker can unlock admin access and gain access to all the content stored on the NAS box.

Securify researchers have also published a proof-of-concept (PoC) exploit showing how the vulnerability can be exploited with just a few lines of code.

Obviously, the exploit requires either a local network or internet connection to a WD My Cloud device in order to be run the command and bypasses the NAS device’s usual login requirements.

The researchers successfully verified the vulnerability on a Western Digital My Cloud model WDBCTL0020HWT running firmware version 2.30.172, though they claimed that this issue is not limited to the model, as most products in the My Cloud series share the same “vulnerable” code.

Securify researchers found the issue while reverse engineering the CGI binaries to look for security bugs, and reported it to Western Digital in April 2017, but did not receive any response from the company.

After almost one-and-half years of silence from Western Digital, researchers finally publicly disclosed the vulnerability, which is still unpatched.

This is not the first time Western Digital has ignored the security of its My Cloud NAS device users.

Earlier this year, a researcher publicly disclosed several vulnerabilities in Western Digital’s My Cloud NAS devices, including a hard-coded password backdoor issue in their firmware after the company did not address the issue, which was reported 180 days before making it public.