Western Digital My Book Live NAS owners worldwide found that their devices have been mysteriously factory reset and all of their files deleted.
WD My Book Live is a network-attached storage device that looks like a small vertical book that you can stand on your desk. The WD My Book Live app allows owners to access their files and manage their devices remotely, even if the NAS is behind a firewall or router.
Today, WD My Book Live and WD My Book Live DUO owners worldwide suddenly found that all of their files were mysteriously deleted, and they could no longer log into the device via a browser or an app.
When they attempted to log in via the Web dashboard, the device stated that they had an “Invalid password.”
“I have a WD My Book live connected to my home LAN and worked fine for years. I have just found that somehow all the data on it is gone today, while the directories seems there but empty. Previously the 2T volume was almost full but now it shows full capacity,” a WD My Book owner reported on the Western Digital Community Forums.
“The even strange thing is when I try to log into the control UI for diagnosis I was-only able to get to this landing page with an input box for “owner password”. I have tried the default password “admin” and also what I could set for it with no luck.”
My Book Live devices issued a factory reset command
After further owners confirmed that their devices suffered the same issue, owners reported that the MyBook logs showed that the devices received a remote command to perform a factory reset starting at around 3 PM yesterday and through the night.
“I have found this in user.log of this drive today:
Jun 23 15:14:05 My BookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 My BookLive shutdown: shutting down for system reboot
Jun 23 16:02:26 My BookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 My BookLive _: pkg: wd-nas
Jun 23 16:02:30 My BookLive _: pkg: networking-general
Jun 23 16:02:30 My BookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 My BookLive _: pkg: date-time
Jun 23 16:02:31 My BookLive _: pkg: alerts
Jun 23 16:02:31 My BookLive logger: hostname=My BookLive
Jun 23 16:02:32 My BookLive _: pkg: admin-rest-api
I believe this is the culprit of why this happens…No one was even home to use this drive at this time…”
Unlike QNAP devices, which are commonly connected to the Internet and exposed to attacks such as the QLocker Ransomware, the Western Digital My Book devices are stored behind a firewall and communicate through the My Book Live cloud servers to provide remote access.
Some users have expressed concerns that Western Digital’s servers were hacked to allow a threat actor to push out a remote factory reset command to all devices connected to the service.
If a threat actor wiped devices, it is strange as no one has reported ransom notes or other threats, meaning the attack was simply meant to be destructive.
Some users affected by this attack have reported success recovering some of their files using the PhotoRec file recovery tool.
Unfortunately, other users have not had as much success.
If you own a WD My Book Live NAS device, Western Digital strongly recommends that you disconnect the device from the Internet.
“At this time, we recommend you disconnect your My Book Live and My Book Live Duo from the Internet to protect your data on the device,” Western Digital said in an advisory.
Unpatched vulnerability believed to be behind attacks
In a statement shared with BleepingComputer, Western Digital has determined that My Book Live and My Book Live Duo devices connected directly to the Internet are are being targeted using a remote code execution vulnerability.
Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability. In some cases, the attackers have triggered a factory reset that appears to erase all data on the device.
We are reviewing log files which we have received from affected customers to further characterize the attack and the mechanism of access. The log files we have reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries. This indicates that the affected devices were directly accessible from the Internet, either through direct connection or through port forwarding that was enabled either manually or automatically via UPnP.
Additionally, the log files show that on some devices, the attackers installed a trojan with a file named “.nttpd,1-ppc-be-t1-z”, which is a Linux ELF binary compiled for the PowerPC architecture used by the My Book Live and Live Duo. A sample of this trojan has been captured for further analysis and it has been uploaded to VirusTotal.
Our investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised. As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning.
We understand that our customers’ data is very important. We do not yet understand why the attacker triggered the factory reset; however, we have obtained a sample of an affected device and are investigating further. Additionally, some customers have reported that data recovery tools may be able to recover data from affected devices, and we are currently investigating the effectiveness of these tools.
The WD My Book Live devices received their final firmware update in 2015.
Since then, a remote code execution vulnerability tracked as CVE-2018-18472 was disclosed along with a public proof-of-concept exploit.
It is believed that a threat actor performed a mass scan of the Internet for vulnerable devices and used this vulnerability to issue the factory-reset command.
Update 6/24/21: Added statement from Wester Digital
Update 6/25/21: Added information about vulnerability and recovery options.
Update 6/26/21: Added full updated statement.
Thx to Tim from desert datarecovery for the tip.