A large number of Western Digital hard disks are formatted, or hackers attack each other: there are new vulnerabilities

机器核心报告

Heart of the machine Report

编辑：陈平泽南

Editor: Zenan, Chen Ping

你的硬盘可能已被黑客破解并用于采矿。最近，突如其来的自动格式化是因为另一波黑客想与其"抢地盘"。

Your hard disk may have been cracked by hackers and used for mining. Recently, the sudden automatic formatting is because another wave of hackers want to "grab territory" with them.

上周四，大量西部数据我书移动硬盘用户数据被远程清除事件引起公众关注。随着西方数字官员要求用户拔掉电缆，事情开始变得有点混乱。

Last Thursday, a large number of Western data my book mobile hard disk user data was remotely cleared event caused public concern. As Western Digital officials asked users to unplug the cable, things began to get a bit chaotic.

本周，另一位安全官员透露，这些硬盘仍然存在新的漏洞。

This week, another security official revealed that there are still new loopholes in these hard disks.

在将这些发现提交给Western data后，安全人员收到了以下回复："我们可以确认，至少在某些情况下，攻击者利用了一个命令注入漏洞（cve-2018-18472），然后是一个工厂重置漏洞。目前尚不清楚攻击者为何会利用这两个漏洞。我们将请求CVE恢复工厂设置漏洞，并将更新我们的公告以包含此信息。"

After submitting these findings to Western data, the security personnel received the following reply: "we can confirm that, at least in some cases, the attacker exploited a command injection vulnerability (cve-2018-18472), followed by a factory reset vulnerability. It is not clear why attackers exploit these two vulnerabilities. We will request CVE for factory setup recovery vulnerability and will update our bulletin to include this information. "

该漏洞受密码保护

The vulnerability is protected by a password

这一发现提出了一个棘手的问题：如果黑客通过使用cve-2018-18472获得了完整的根访问权限，那么第二个安全漏洞需要什么？目前还没有明确答案，但根据现有证据，abdine提出了一个似是而非的理论，即一名黑客先是利用cve-2018-18472进行攻击，而另一名竞争对手随后又利用另一个漏洞试图夺取被攻击设备的控制权。

This discovery raises a thorny question: if hackers have obtained full root access by using cve-2018-18472, what do they need for the second security vulnerability? At present, there is no clear answer, but based on the existing evidence, abdine put forward a plausible theory, that is, a hacker first used cve-2018-18472 to attack, while another competitor then used another loophole to try to seize control of those devices that have been attacked.

攻击者利用cve-2018-18472提供的代码执行功能修改了我的书live stack\ Configuration.php文件中名为language的代码，这是漏洞所在的位置。根据恢复文件，修改代码并添加以下行：

The attacker used the code execution ability provided by cve-2018-18472 to modify the code named language in my book live stack_ Configuration.php file, which is the location of the vulnerability. According to the recovery file, modify the code and add the following lines:

此更改可防止任何人在没有与加密的SHA1哈希56f650e16801d38f47bb0eeac39e21a8142d7da1对应的密码的情况下利用该漏洞。原来哈希密码是p$efx3tqwoubfc%B%R$k@。

This change prevents anyone from exploiting the vulnerability without a password corresponding to the encrypted SHA1 hash 56f650e16801d38f47bb0eeac39e21a8142d7da1. It turns out that the hash password is p $efx3tqwoubfc% B% R $k @.

从被黑客攻击的设备中恢复的另一种修改过的语言&configuration.php文件使用不同的密码，对应于散列值05951edd7f05318019c4cfafab8e567afe7936d4。黑客使用第三个散列值b18c379fd377b51b7925b2b68ff818cc9115a47对名为accessdenied.php的单独文件进行密码保护。这可能是为了防止西方数据影响语言结构。

Another modified language recovered from the hacked device_ The configuration.php file uses different passwords, corresponding to the hash value 05951edd7f05318019c4cfafab8e567afe7936d4. Hackers use the third hash value b18c379fd377b51b7925b2b68ff818cc9115a47 to password protect a separate file called accessdenied.php. This is probably to prevent the western data from affecting the language_ Configuration.

到目前为止，破解这两个哈希的尝试还没有成功。

So far, attempts to crack these two hashes have not been successful.

据《西方数据报》报道，我的一些书中的直播硬盘被黑客通过cve-2021-18472破解，感染了名为"黑客"的恶意软件。Nttpd，1-ppc-be-t1-z。恶意软件运行在使用PowerPC的硬件上，而我的book live就是这样一个设备。

According to the western data bulletin, some of my book live hard disks were broken by hackers through cve-2021-18472, infected with malicious software named. Nttpd, 1-ppc-be-t1-z. The malware runs on hardware that uses PowerPC, and my book live is such a device.

在Western Digital的一个论坛上，一位用户报告说，我的书live受到黑客攻击，收到了恶意软件，使该设备成为名为Linux的僵尸网络的一部分。网络。

In a forum in Western Digital, a user reported that my book live, which had been hacked, had received the malware, which made the device part of a botnet called Linux. Ngioweb.

一种可能性

A possibility

那么，为什么那些在僵尸网络中成功使用了这么多mybook live设备的黑客会突然删除所有内容呢？当他们已经拥有根权限时，为什么要使用未记录的身份验证？

So why do hackers who have successfully involved so many my book live devices in botnets suddenly delete everything? Why do they use undocumented authentication when they already have root privileges?

似乎最有可能的答案是，大规模删除和重置是由另一波攻击者造成的，很可能是竞争对手试图控制竞争对手的僵尸网络，或者只是为了摧毁它。

It seems that the most likely answer is that massive erasures and resets are caused by another wave of attackers, most likely a competitor trying to control a competitor's Botnet, or just to destroy it.

"至于大规模发布到[系统]工厂，我们不知道端点的动机。可能是竞争对手的僵尸网络运营商试图接管这些设备或让它们变得无用，或者有人想用其他方式摧毁它们。这些设备可能已经被入侵一段时间了。毕竟，这种脆弱性早在2015年就存在了。

"As for large-scale posting to [sysem]_ factory_ We don't know the motivation of the endpoint. It may be that the botnet operators of competitors try to take over these devices or make them useless, or someone wants to destroy them in other ways. These devices may have been invaded for some time. After all, the vulnerability existed as early as 2015. " Abdine said.

不管怎样，第二个漏洞的发现意味着我的书live比你想象的更不安全。这可能是Western data允许所有用户立即拔掉网线的真正原因——任何拥有这些硬盘的用户都应该立即拔掉网线。

Anyway, the discovery of the second vulnerability means that my book live is more insecure than you think. It may be the real reason why Western data lets all users unplug the network cable immediately - any user with these hard disks should do so immediately.

https://censys.io/blog/cve-2018-18472-western-digital-my-book-live-mass-exploitation/

https://censys.io/blog/cve-2018-18472-western-digital-my-book-live-mass-exploitation/

https://arstechnica.com/gadgets/2021/06/hackers-exploited-0-day-not-2018-bug-to-mass-wipe-my-book-live-devices/

https://arstechnica.com/gadgets/2021/06/hackers-exploited-0-day-not-2018-bug-to-mass-wipe-my-book-live-devices/

Waic人工智能开发者论坛：后深度学习的人工智能时代

Waic AI Developer Forum: the AI era of post deep learning

7月8日至10日，AI开发者论坛将通过AI开发者论坛、waic开发者hacksong和waic云帆奖三大核心模块，展示今年人工智能领域最前沿的研究方向和技术成果。

From July 8 to 10, the AI Developer Forum will display the most cutting-edge research direction and technical achievements in the field of artificial intelligence this year through three core modules: AI Developer Forum, waic developer hacksong and waic Yunfan awards.

7月10日，伟才开发者论坛邀请多位业界名流带来精彩分享，话题涵盖大规模语言智能、SysML（机器学习系统）、多模态机器学习与大规模自动生成技术、risc-v技术与生态学、AI原生计算机系统等热点话题，满足人工智能开发者的多层次学习需求。

On July 10, WaiCai developer forum invited a number of industry celebrities to bring wonderful sharing, with topics covering large-scale language intelligence, SysML (machine learning system), multimodal machine learning and large-scale automatic generation technology, risc-v technology and ecology, AI native computer system and other hot topics, meeting the multi-level learning needs of AI developers.

除了精彩的分享，我们还准备了RTX3060显卡，hhkb键盘，空气标签，人工智能专业书籍，以及桌上的鼠标垫。我们可以在现场登记后参与提取。

In addition to the wonderful sharing, we also prepared RTX 3060 graphics card, hhkb keyboard, air tag, artificial intelligence professional books, and mouse pad on the desk. We can participate in the extraction after checking in on site.

识别下面的二维码并立即注册。

Identify the QR code below and sign up immediately.

结束

THE END

请联系官方账户进行授权。

Please contact the official account for authorization.

Link：https://new.qq.com/omn/20210630/20210630A04OCV00.html

update time：2021-06-30 14:46:53