WD My Book NAS devices are being remotely wiped clean worldwide
Western Digital My Book NAS proprietors worldwide located that their devices have actually been inexplicably manufacturing facility reset and also all of their data removed.
WD My Book is a network-attached storage space gadget that resembles a tiny upright book that you can depend on your workdesk. The WD My Book Live application permits proprietors to access their data and also handle their devices remotely, also if the NAS lags a firewall program or router.
Today, WD My Book proprietors worldwide all of a sudden located that every one of their data were inexplicably removed, and also they can no more log right into the gadget by means of an internet browser or an application.
When they tried to visit by means of the Web control panel, the gadget mentioned that they had an “Invalid password.”
“I have a WD My Book live connected to my home LAN and worked fine for years. I have just found that somehow all the data on it is gone today, while the directories seems there but empty. Previously the 2T volume was almost full but now it shows full capacity,” a WD My Book proprietor reported on the Western Digital Community Forums.
“The even strange thing is when I try to log into the control UI for diagnosis I was-only able to get to this landing page with an input box for “owner password”. I have tried the default password “admin” and also what I could set for it with no luck.”
My Book devices provided a manufacturing facility reset command
After more proprietors confirmed that their devices endured the very same problem, proprietors reported that the MyBook logs revealed that the devices obtained a remote command to carry out a manufacturing facility reset beginning at around 3 PM the other day and also via the evening.
“I have found this in user.log of this drive today:
Jun 23 15:14:05 My BookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 My BookLive shutdown: shutting down for system reboot
Jun 23 16:02:26 My BookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 My BookLive _: pkg: wd-nas
Jun 23 16:02:30 My BookLive _: pkg: networking-general
Jun 23 16:02:30 My BookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 My BookLive _: pkg: date-time
Jun 23 16:02:31 My BookLive _: pkg: alerts
Jun 23 16:02:31 My BookLive logger: hostname=My BookLive
Jun 23 16:02:32 My BookLive _: pkg: admin-rest-api
I believe this is the culprit of why this happens…No one was even home to use this drive at this time…”
Unlike QNAP devices, which are generally attached to the Internet and also revealed to strikes such as the QLocker Ransomware, the Western Digital My Book devices are kept behind a firewall program and also connect via the My Book Live cloud web servers to offer remote accessibility.
Some individuals have actually revealed issues that Western Digital’s web servers were hacked to enable a hazard star to press out a remote manufacturing facility reset command to all devices attached to the solution.
If a hazard star wiped devices, it is unusual as nobody has actually reported ransom money notes or various other risks, suggesting the assault was just indicated to be harmful.
Some individuals influenced by this assault have actually reported success recouping a few of their data making use of the PhotoRec data healing device.
Unfortunately, various other individuals have actually not had as much success.
If you have a WD My Book Look NAS gadget, Western Digital highly advises that you detach the gadget from the Internet.
“At this time, we recommend you disconnect your My Book Live and My Book Live Duo from the Internet to protect your data on the device,” Western Digital claimed in an advisory.
Unpatched susceptability thought to be behind strikes
Western Digital informed BleepingComputer that they are proactively checking out the strikes however do not think it was a concession of their web servers.
“Western Digital has determined that some My Book Live devices are being compromised by malicious software. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live device received its final firmware update in 2015. We understand that our customers’ data is very important. At this time, we recommend you disconnect your My Book Live from the Internet to protect your data on the device. We are actively investigating and we will provide updates to this thread when they are available.” – Western Digital
Western Digital even more informed BleepingComputer that they think the devices were jeopardized making use of an unpatched susceptability after they were attached straight to the Internet.
The WD My Book Live devices obtained their last firmware upgrade in 2015.
Since after that, a remote code implementation susceptability tracked as CVE-2018-18472 was revealed together with a public proof-of-concept make use of.
It is thought that a hazard star executed a mass check of the Internet for prone devices and also utilized this susceptability to release the factory-reset command.
Update 6/24/21: Added declaration from Wester Digital
Update 6/25/21: Added info concerning susceptability and also healing choices.
Thx to Jol for the pointer.