Although 45 days have passed since Western Digital was successfully targeted in a cyber attack, the brand has only recently opened up a little further on the nature and impact. Although we covered this in alot of detail back in the middle of April (see link below), WD has only recently publicly shared a little of the data was accessed, as well as contacting potentially affected users. Also, in that time, several other prominent online security sources have added to the discussion, wither independently or after being contacted by the attackers to verify the legitimacy of their claims. For many, the 10-day suspension of the WD My Cloud services might have been the last they have heard about these events, assuming that this had been fully resolved. Sadly that is not the case and whether you are a WD NAS user or not, it might be worth taking a moment to get updated on the ongoing security issues surrounding a big name in NAS and one of the biggest names in storage!
Previous News Port on this HERE – Western Digital Cyber Incident Update- WHAT HAPPENED?
Continued Taunting and Claims By the Hacker Group, BlackCat via ALPHV
Towards the end of April (first on the 18/04 and then later on the 28/04) Dominic Alvieri, a Cybersecurity analyst and security researcher (find his twitter HERE), detailed online information/posts shared by Blackcat on the site Alphv with regard to the data obtained, claims of the WD’s response, lack of security care, information surrounding their intentions and details of the data obtained. While the perpetrators claim not to be part of the ALPHV ransomware group, the posts were shared via their data leak site to highlight the current status quo with Western Digital.
You have to read this final warning.@westerndigital @BleepinComputer https://t.co/P625juLWo1 pic.twitter.com/ohvc2QRP7g
— Dominic Alvieri (@AlvieriD) April 18, 2023
The text in the posted pages is as follows:
Western Intelligence or Western Digital: The Fine Line Between Selling Drives and Espionage 4/18/2023, 12:36:47 AM
Oh Western Digital, The chances we give you, but the continuous egotistical behavior shown indicates you don’t even care about the well being of your company in the slightest. Even the largest companies would want to know every detail they can about what was taken, but Western Digital didn’t even bother to contact us. I am confused by this because we offered to give them file trees of everything, as all groups do when extorting their victims. But as stated they did not even contact. How sad, but I cannot say I’m surprised. At the helm of this company you have a corrupt former Cisco Executive. We thought after our interview with TechCrunch maybe they’d come to do some exploring to find out what data was taken, though. If you are investing in this company– I would advise encouraging the leadership to at least find out what was taken.
Please do not feel sorry for these hounds. I can assure you that they are far more corrupt than you realize, and we have evidence to support our assertions. It’s approaching fast. But, we are not superior to them. We apologize but we won’t divulge if they pay.
Important documents will be released while priceless artifacts will be sold. At this moment, nothing has been sold or leaked. Despite our attempts over the past two weeks, Western Digital has not responded to any of our contact attempts. Even the most naive organizations would want to know precisely what was taken, this situation demonstrates the lack of corporate governance. Have a look at how far we were able to travel through their network, for example. They are corrupt and disregarded everything, thinking nothing would happen. News flash: When they filed Form 8-K with the Securities and Exchange Commission, they misrepresented several details regarding our intrusion, purposefully.
It appears there is additional speculation. No worries everyone we will clean it up. We have their firmware too.
We will fuck you until you cannot stand anymore Western Digital Consider this our final warning.
This was followed up by Dominic by further shared posts by Blackcat:
BlackCat on Western Digital part 2.
“We’ve seen speculation when it comes to customer data. To clarify we obtained a full backup to their SAP back office.”@westerndigital pic.twitter.com/Sm7eg2zmKz
— Dominic Alvieri (@AlvieriD) April 28, 2023
The text in the posted pages is as follows:
Western Digital Chronicles II: The Weekly Descent into Oblivion
4/28/2023, 10:10:40 PM
The last I recall we said something along the lines of “I will fuck you until you cannot stand anymore” I guess they thought we were surely joking.
He didn’t get in touch or glance at the webpage. Don’t be concerned, David. I’ll dismantle your wealth now. You appear so immense and influential.
Beginning next week on an unspecified day, we will share leaks every week until we lose interest. Once that happens, we will put their intellectual property up for sale, including code signing certificates, firmware, personally identifiable information of customers, and more.
We’ve seen speculation surrounding customer data. To clarify, we obtained a full backup of their SAP Back Office, which dates back to the last week of March. The backup contains everything (cont)
The page also contains an additional screenshot of a template that presumably was intended for WD users/customers that was to be tailored to impacted users that Blackcat claims to have obtained alongside a plethora of other internal data:
Dear Customer
wanted to notify you that Western Digital recently learned of a network security incident affecting some of our systems. When we become aware of the issue, we quickly launched on investigation with the assistance of leading outside security experts and proactively took some of our systems offline. We are investigating this situation and taking steps to secure our systems. We also are coordinating with law enforcement. Our relationship with you is very important to us and we appreciate your patience while we work through our investigation
SPECIFIC IMPACT TO INDIVIDUAL CUSTOMER IF APPROPRIATE
As a precaution, we have temporarily removed access to our engineering labs and you will not have access to (YOUR SHARED/ lob. We regret any inconvenience to you and your teams and would i ensure you that restoring network access is a top priority (include species of engineering lab acces impact to timeline/deliverables we con
We will keep you informed of our progress as appropriate, and please let me know if you have any questions
Thank you for your ongoing support
Finally, there as details of a shared morning video call with WD Security Threat specialists. All of this in efforts to draw a line through speculation when it comes to customer data and clarify their claims that they have obtained a full backup to WD’s SAP back office
This is a black eye for Western Digital.
BlackCat even posted an early morning video conference “with the finest threat hunters Western Digital has to offer.” https://t.co/QURl2NCScW pic.twitter.com/Y0ElQXHET0
— Dominic Alvieri (@AlvieriD) April 29, 2023
Alongside this, BleepingComputer reports that Western Digital had screenshots of internal emails, files, and video conferences pertaining to its response efforts to a cyberattack in the previously covered March leaked by BlackCat (via Alphv) after the group threatened significant damage to the firm should it refuse to pay the ransom (also first detailed over on TechCrunch).
WD Response and Alerting Its Customers
On the 5th May, Western Digital provided several new updates to the ongoing data security attack, though all of which were a little late out the gate compared with the continued deluge by the attackers themselves and communication with editor platforms (and security experts online up to this point). First, there was an official press release HERE that (focusing on the network security incident) stated the following:
05-05-23 Western Digital Corp. (NASDAQ: WDC) today provided an update on a network security incident involving the Company’s systems.
“On March 26, 2023, we identified a network security incident where an unauthorized third party gained access to a number of the Company’s systems.
On April 2, 2023, we disclosed that upon discovery of this incident, we implemented incident response efforts and initiated an investigation with the assistance of leading security industry experts. This investigation is underway and includes analysis to understand the nature and scope of data obtained by the unauthorized party.
As a precautionary measure to secure our business operations, the Company proactively disconnected our systems and services from the public Internet. We are progressing through our restoration process and the majority of our impacted systems and services are now operational. Our factories are and have been operational throughout this incident and we are shipping products to meet our customers’ needs. While initially impacted by our proactive measures, as of April 13, 2023, My Cloud service was restored. Account access to Western Digital’s online store also was impacted and is expected to be restored the week of May 15, 2023.
In collaboration with outside forensic experts, we confirmed that an unauthorized party obtained a copy of a Western Digital database used for our online store that contained some personal information of our online store customers. This information included customer names, billing and shipping addresses, email addresses and telephone numbers. In addition, the database contained, in encrypted format, hashed and salted passwords and partial credit card numbers. We will communicate directly with impacted customers.
We are aware that other alleged Western Digital information has been made public. We are investigating the validity of this data and will continue reporting our findings as appropriate.
Regarding reports of the potential to fraudulently use digital signing technology allegedly attributed to Western Digital in consumer products, we can confirm that we have control over our digital certificate infrastructure. In the event we need to take precautionary measures to protect customers, we are equipped to revoke certificates as needed. We’d like to remind consumers to always use caution when downloading applications from non-reputable sources on the Internet.”
This was also joined by a message that was sent out to WD customers. Detailing a little more on the data that has been obtained. Though it does not detail the extent of the volume of impacted users or if the vulnerability in question that the attackers used has been fully neutralized:
Original text:
Dear Customer,
We are writing to notify you about a network security incident involving your Western Digital online store account. After learning of the incident, we quickly launched an investigation to understand its nature and scope. We are working with leading outside forensic and security experts to assist with our investigation and are coordinating with law enforcement.
Based on the investigation, we recently learned that, on or around March 26, 2023, an unauthorized party obtained a copy of a Western Digital database that contained limited personal information of our online store customers. The information included customer names, billing and shipping addresses, email addresses, and telephone numbers. As a security measure, the relevant database stored, in encrypted format, hashed passwords (which were salted) and partial credit card numbers.
We have temporarily suspended online store account access and the ability to make online purchases. We expect to restore access the week of May 15, 2023. As a precautionary measure, you can take the following steps to help protect your
personal information from potential misuse:
Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information. Avoid clicking on links or downloading attachments from suspicious emails. Check whether your email account has spam settings to help you detect or block suspicious emails.
We hope this information is useful to you. If you have any questions regarding this incident, please call 855-493-7867, Monday-Friday, 8am-5pm PST.
As good as it is that WD are finally sharing more information on the impact of this, since the relative lack of noise they were making on the initial security attack (which led to the WD shop being taken offline and them suspending their WD My Cloud remote services), this is still quite a vague detail on how/if/who has been impacted here. I appreciate that they need to remain guarded (both from a continued security stance and perhaps legally), but given the scale of users that still use their relatively low barrier and affordable NAS solutions, this does seem something of a lacklustre response! Add to that the question marks of if customer data stored in the WD Store and/or the extent of confidential information that is potentially going to be sold to the highest bidder – I think WD needs to be more proactive on this!
The WD Shop is Still Open – Sort of…
The WD Shop has not really been back to 100% since the initial impact of the security attack. Intermittently, we saw the store display this message:
When the store was accessible, the header of the site continues to display the following message:
That said, products and series catalogues can now be accessed. However, you are still not able to make purchases, instead being redirected to resellers in your area:
The concern here of course, is whether the vulnerability in question has been blocked and how much of the WD Shop infrastructure is/was/could have been involved in the cyber incident. WD states that they expect to reinstate access to the WD Shop by May 15th, 2023.
If I Use a WD NAS or Have a WD Shop Account – What Should I Do?
If you are an existing (or even former) WD NAS user, alternatively, you are someone who has shopped at the WD Shop before, then I would certainly recommend that you follow the following guidelines:
- As mentioned in WD’s own messaging, be very mindful and careful with any communication that pertains to be from WD/Western Digital regarding your account. Do NOT provide any further information or account details if prompted (as this might likely allow assisted brute force access hacking). Additionally, check all mail domains of any communication you receive and check any URLs you are directed towards in advance (i.e copy link and paste to view before using) in order to check the destination domain
- If you have not already, change your WD NAS admin/general-user admin login credentials and instate 2-Step Authentication were possible. There is still no confirmation that complete and unencrypted information of user account credentials has been leaked – but why take that chance?
- Ensure your off-site/off-system backups are in order. If an attacker is able to fully access or even partially access your WD NAS system via even moderately powerful user credentials, they are far, FAR more likely to push for ransomware (encrypting your data without leaving a local key) than deletion/destruction, as there is no means of exploiting this for payment. So GET YOUR BACKUPS IN ORDER. Do not rely on a USB backup unless it is only connected during periodic backups and automatically ejected afterwards.
Thinking of leaving WD NAS? Use my Comparison Guide video below to find out which of the other big names in NAS hardware and/or software best suits your needs:
📧 SUBSCRIBE TO OUR NEWSLETTER 🔔
🔒 Join Inner Circle
Get an alert every time something gets added to this specific article!
This description contains links to Amazon. These links will take you to some of the products mentioned in today's content. As an Amazon Associate, I earn from qualifying purchases. Visit the NASCompares Deal Finder to find the best place to buy this device in your region, based on Service, Support and Reputation - Just Search for your NAS Drive in the Box Below
Need Advice on Data Storage from an Expert?
Finally, for free advice about your setup, just leave a message in the comments below here at NASCompares.com and we will get back to you.
 |
 |
