27 June, 2022

Air Ytube

The Best In Technology

Home » WD My Book NAS devices are being remotely wiped clean worldwide

WD My Book NAS devices are being remotely wiped clean worldwide

Western Digital My Book NAS owners worldwide found that their devices have been mysteriously factory reset and all of their files deleted.

WD My Book is a network-attached storage device that looks like a small vertical book that you can stand on your desk. The WD My Book Live app allows owners to access their files and manage their devices remotely, even if the NAS is behind a firewall or router.

Today, WD My Book owners worldwide suddenly found that all of their files were mysteriously deleted, and they could no longer log into the device via a browser or an app.

When they attempted to log in via the Web dashboard, the device stated that they had an “Invalid password.”

“I have a WD My Book live connected to my home LAN and worked fine for years. I have just found that somehow all the data on it is gone today, while the directories seems there but empty. Previously the 2T volume was almost full but now it shows full capacity,” a WD My Book owner reported on the Western Digital Community Forums.

“The even strange thing is when I try to log into the control UI for diagnosis I was-only able to get to this landing page with an input box for “owner password”. I have tried the default password “admin” and also what I could set for it with no luck.”

Password no longer working in My Book Live
Password no longer working in My Book Live
Source: WD Forum

My Book devices issued a factory reset command

After further owners confirmed that their devices suffered the same issue, owners reported that the MyBook logs showed that the devices received a remote command to perform a factory reset starting at around 3 PM yesterday and through the night.

“I have found this in user.log of this drive today:
Jun 23 15:14:05 My BookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 My BookLive shutdown[24582]: shutting down for system reboot
Jun 23 16:02:26 My BookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 My BookLive _: pkg: wd-nas
Jun 23 16:02:30 My BookLive _: pkg: networking-general
Jun 23 16:02:30 My BookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 My BookLive _: pkg: date-time
Jun 23 16:02:31 My BookLive _: pkg: alerts
Jun 23 16:02:31 My BookLive logger: hostname=My BookLive
Jun 23 16:02:32 My BookLive _: pkg: admin-rest-api
I believe this is the culprit of why this happens…No one was even home to use this drive at this time…”

Unlike QNAP devices, which are commonly connected to the Internet and exposed to attacks such as the QLocker Ransomware, the Western Digital My Book devices are stored behind a firewall and communicate through the My Book Live cloud servers to provide remote access.

Some users have expressed concerns that Western Digital’s servers were hacked to allow a threat actor to push out a remote factory reset command to all devices connected to the service.

If a threat actor wiped devices, it is strange as no one has reported ransom notes or other threats, meaning the attack was simply meant to be destructive.

Some users affected by this attack have reported success recovering some of their files using the PhotoRec file recovery tool.

Unfortunately, other users have not had as much success.

If you own a WD My Book Look NAS device, Western Digital strongly recommends that you disconnect the device from the Internet.

“At this time, we recommend you disconnect your My Book Live and My Book Live Duo from the Internet to protect your data on the device,” Western Digital said in an advisory.

Unpatched vulnerability believed to be behind attacks

Western Digital told BleepingComputer that they are actively investigating the attacks but do not believe it was a compromise of their servers.

“Western Digital has determined that some My Book Live devices are being compromised by malicious software. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live device received its final firmware update in 2015. We understand that our customers’ data is very important. At this time, we recommend you disconnect your My Book Live from the Internet to protect your data on the device. We are actively investigating and we will provide updates to this thread when they are available.” – Western Digital

Western Digital further told BleepingComputer that they believe the devices were compromised using an unpatched vulnerability after they were connected directly to the Internet.

The WD My Book Live devices received their final firmware update in 2015.

Since then, a remote code execution vulnerability tracked as CVE-2018-18472 was disclosed along with a public proof-of-concept exploit.

It is believed that a threat actor performed a mass scan of the Internet for vulnerable devices and used this vulnerability to issue the factory-reset command.

Update 6/24/21: Added statement from Wester Digital
Update 6/25/21: Added information about vulnerability and recovery options.

Thx to Jol for the tip.