Western Digital My Book NAS devices are being remotely wiped clean worldwide
Updated: Aug 27
On June 24th 2021 Lawrence Abrahams of Bleeping Computer reported on a rather serious issue that effects consumers and businesses worldwide, pertaining to their personal data connected online via Western Digital MyBook Network Access Storage (NAS) Drives. Long of the short - users drives were being erased!
For individuals who used their WD as a primary source drive rather than a backup meant certain disaster as their data was now gone... if you've been a client of Bringing Your Tech to Life you've heard us say time and time again, "If your data is important keep it on two devices... and if it's really important two devices in two locations". This story, as with the many before it and the many that are sure to follow it, support this statement. Fast forward 12 days later (July 6th 2021) and Western Digital has responded via email to its users (yes you had to register your product) with a pretty solid solution that we at Bringing Your Tech to Life have to admit is the right steps to take from a customer service point of view.
What can we learn from this?
For starters backup your data! Preferably on a system that is offline (not the cloud) and off site.
Secondly stop using Hardware and/or Software that has reached End of Life (EOL). Yes I'm talking to those users still running Windows 7 (and older), iOS 11 (and older), Android 7.0 (and older) and macOS High Sierra 10.13 (and older)!
https://www.bleepingcomputer.com/news/security/wd-my-book-nas-devices-are-being-remotely-wiped-clean-worldwide/ Western Digital My Book Live NAS owners worldwide found that their devices have been mysteriously factory reset and all of their files deleted.
WD My Book Live is a network-attached storage device that looks like a small vertical book that you can stand on your desk. The WD My Book Live app allows owners to access their files and manage their devices remotely, even if the NAS is behind a firewall or router.
Today, WD My Book Live and WD My Book Live DUO owners worldwide suddenly found that all of their files were mysteriously deleted, and they could no longer log into the device via a browser or an app.
When they attempted to log in via the Web dashboard, the device stated that they had an "Invalid password."
"I have a WD My Book live connected to my home LAN and worked fine for years. I have just found that somehow all the data on it is gone today, while the directories seems there but empty. Previously the 2T volume was almost full but now it shows full capacity," a WD My Book owner reported on the Western Digital Community Forums.
"The even strange thing is when I try to log into the control UI for diagnosis I was-only able to get to this landing page with an input box for “owner password”. I have tried the default password “admin” and also what I could set for it with no luck."
My Book Live devices issued a factory reset command
After further owners confirmed that their devices suffered the same issue, owners reported that the MyBook logs showed that the devices received a remote command to perform a factory reset starting at around 3 PM yesterday and through the night.
"I have found this in user.log of this drive today: Jun 23 15:14:05 My BookLive factoryRestore.sh: begin script: Jun 23 15:14:05 My BookLive shutdown: shutting down for system reboot Jun 23 16:02:26 My BookLive S15mountDataVolume.sh: begin script: start Jun 23 16:02:29 My BookLive _: pkg: wd-nas Jun 23 16:02:30 My BookLive _: pkg: networking-general Jun 23 16:02:30 My BookLive _: pkg: apache-php-webdav Jun 23 16:02:31 My BookLive _: pkg: date-time Jun 23 16:02:31 My BookLive _: pkg: alerts Jun 23 16:02:31 My BookLive logger: hostname=My BookLive Jun 23 16:02:32 My BookLive _: pkg: admin-rest-api I believe this is the culprit of why this happens…No one was even home to use this drive at this time…"
Unlike QNAP devices, which are commonly connected to the Internet and exposed to attacks such as the QLocker Ransomware, the Western Digital My Book devices are stored behind a firewall and communicate through the My Book Live cloud servers to provide remote access.
Some users have expressed concerns that Western Digital's servers were hacked to allow a threat actor to push out a remote factory reset command to all devices connected to the service.
If a threat actor wiped devices, it is strange as no one has reported ransom notes or other threats, meaning the attack was simply meant to be destructive.
Some users affected by this attack have reported success recovering some of their files using the PhotoRec file recovery tool.
Unfortunately, other users have not had as much success.
If you own a WD My Book Live NAS device, Western Digital strongly recommends that you disconnect the device from the Internet.
"At this time, we recommend you disconnect your My Book Live and My Book Live Duo from the Internet to protect your data on the device," Western Digital said in an advisory.
Unpatched vulnerability believed to be behind attacks
In a statement shared with BleepingComputer, Western Digital has determined that My Book Live and My Book Live Duo devices connected directly to the Internet are are being targeted using a remote code execution vulnerability.
Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability. In some cases, the attackers have triggered a factory reset that appears to erase all data on the device. We are reviewing log files which we have received from affected customers to further characterize the attack and the mechanism of access. The log files we have reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries. This indicates that the affected devices were directly accessible from the Internet, either through direct connection or through port forwarding that was enabled either manually or automatically via UPnP. Additionally, the log files show that on some devices, the attackers installed a trojan with a file named “.nttpd,1-ppc-be-t1-z”, which is a Linux ELF binary compiled for the PowerPC architecture used by the My Book Live and Live Duo. A sample of this trojan has been captured for further analysis and it has been uploaded to VirusTotal. Our investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised. As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning. We understand that our customers’ data is very important. We do not yet understand why the attacker triggered the factory reset; however, we have obtained a sample of an affected device and are investigating further. Additionally, some customers have reported that data recovery tools may be able to recover data from affected devices, and we are currently investigating the effectiveness of these tools.
The WD My Book Live devices received their final firmware update in 2015.
Since then, a remote code execution vulnerability tracked as CVE-2018-18472 was disclosed along with a public proof-of-concept exploit.
It is believed that a threat actor performed a mass scan of the Internet for vulnerable devices and used this vulnerability to issue the factory-reset command.
Update 6/24/21: Added statement from Wester Digital Update 6/25/21: Added information about vulnerability and recovery options. Update 6/26/21: Added full updated statement.
Hello My Book™ Live/My Book Live Duo Customer, If you are a My Book Live or My Book Live Duo customer, we are offering the following limited time offer: Trade-In Offer:
Western Digital is offering current registered My Book Live or My Book Live Duo customers a trade-in discount of 40% off a select new My Cloud™ Home personal cloud storage or My Cloud EX2 Ultra 2-bay network attached storage device. For more information regarding the trade-in offer for eligible devices, please visit My Book Live and My Book Live Duo: Trade-In Offer.
Offer Details Trade In
Western Digital is offering eligible customers a trade-in option to upgrade their qualifying MyBook Live or My Book Duo products to a select new My Cloud Home or My Cloud EX2 Ultra device. Qualifying Products The following models of My Book Live and My Book Live Duo devices from Western Digital:
My Book Live WDBACG0030HCH WDBACG0020HCH WDBACG0010HCH My Book Live Duo WDBVHT0080JCH WDBVHT0060JCH WDBVHT0040JCH
Trade-In Offer Registered customers can trade in any capacity of a Qualifying Product for one of the following products at 40% off the suggested retail price:
My Cloud Home 2TB (requires internet access)
My Cloud Home 4TB (requires internet access)
My Cloud Home 6TB (requires internet access)
My Cloud EX2 Ultra 2-bay NAS 4TB
My Cloud EX2 Ultra 2-bay NAS 8TB
Some products may not be available in every country. In such instances, Western Digital Support will identify an alternative for the customer.
Eligibility Requirements The following requirements must be met in order to be eligible for this Trade-In Offer:
The Customer must have contacted Western Digital Support and be issued a case number for each Qualifying Product by September 30, 2021. The Customer must provide the serial number for each Qualifying Product.
Each Qualifying Product must be intact with all parts included. A single, non-transferrable trade-in discount will be available per Qualifying Product that meets these Eligibility Requirements. This Offer cannot be combined, used in conjunction with, or used in addition to any other promotion or offer. This offer may not be available in all regions of the world. Western Digital reserves the right to change or discontinue this offer at any time without notice. Up to 2 Qualifying Products per customer are eligible for this Offer.
The trade-in discount must be used within 30-days of receiving the case number from Western Digital Support.
Customers should have the following information ready prior to contacting the Western Digital Support Team: