Western Digital My Book Live NAS owners worldwide found that their devices have been mysteriously factory reset and all of their files deleted.
WD My Book Live is a network-attached storage device that looks like a small vertical book that you can stand on your desk. The WD My Book Live app allows owners to access their files and manage their devices remotely, even if the NAS is behind a firewall or router.
Today, WD My Book Live and WD My Book Live DUO owners worldwide suddenly found that all of their files were mysteriously deleted, and they could no longer log into the device via a browser or an app.
When they attempted to log in via the Web dashboard, the device stated that they had an "Invalid password."
"I have a WD My Book live connected to my home LAN and worked fine for years. I have just found that somehow all the data on it is gone today, while the directories seems there but empty. Previously the 2T volume was almost full but now it shows full capacity," a WD My Book owner reported on the Western Digital Community Forums.
"The even strange thing is when I try to log into the control UI for diagnosis I was-only able to get to this landing page with an input box for “owner password”. I have tried the default password “admin” and also what I could set for it with no luck."
My Book Live devices issued a factory reset command
After further owners confirmed that their devices suffered the same issue, owners reported that the MyBook logs showed that the devices received a remote command to perform a factory reset starting at around 3 PM yesterday and through the night.
"I have found this in user.log of this drive today:
Jun 23 15:14:05 My BookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 My BookLive shutdown[24582]: shutting down for system reboot
Jun 23 16:02:26 My BookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 My BookLive _: pkg: wd-nas
Jun 23 16:02:30 My BookLive _: pkg: networking-general
Jun 23 16:02:30 My BookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 My BookLive _: pkg: date-time
Jun 23 16:02:31 My BookLive _: pkg: alerts
Jun 23 16:02:31 My BookLive logger: hostname=My BookLive
Jun 23 16:02:32 My BookLive _: pkg: admin-rest-api
I believe this is the culprit of why this happens…No one was even home to use this drive at this time…"
Unlike QNAP devices, which are commonly connected to the Internet and exposed to attacks such as the QLocker Ransomware, the Western Digital My Book devices are stored behind a firewall and communicate through the My Book Live cloud servers to provide remote access.
Some users have expressed concerns that Western Digital's servers were hacked to allow a threat actor to push out a remote factory reset command to all devices connected to the service.
If a threat actor wiped devices, it is strange as no one has reported ransom notes or other threats, meaning the attack was simply meant to be destructive.
Some users affected by this attack have reported success recovering some of their files using the PhotoRec file recovery tool.
Unfortunately, other users have not had as much success.
If you own a WD My Book Live NAS device, Western Digital strongly recommends that you disconnect the device from the Internet.
"At this time, we recommend you disconnect your My Book Live and My Book Live Duo from the Internet to protect your data on the device," Western Digital said in an advisory.
Unpatched vulnerability believed to be behind attacks
In a statement shared with BleepingComputer, Western Digital has determined that My Book Live and My Book Live Duo devices connected directly to the Internet are are being targeted using a remote code execution vulnerability.
Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability. In some cases, the attackers have triggered a factory reset that appears to erase all data on the device.
We are reviewing log files which we have received from affected customers to further characterize the attack and the mechanism of access. The log files we have reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries. This indicates that the affected devices were directly accessible from the Internet, either through direct connection or through port forwarding that was enabled either manually or automatically via UPnP.
Additionally, the log files show that on some devices, the attackers installed a trojan with a file named “.nttpd,1-ppc-be-t1-z”, which is a Linux ELF binary compiled for the PowerPC architecture used by the My Book Live and Live Duo. A sample of this trojan has been captured for further analysis and it has been uploaded to VirusTotal.
Our investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised. As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning.
We understand that our customers’ data is very important. We do not yet understand why the attacker triggered the factory reset; however, we have obtained a sample of an affected device and are investigating further. Additionally, some customers have reported that data recovery tools may be able to recover data from affected devices, and we are currently investigating the effectiveness of these tools.
The WD My Book Live devices received their final firmware update in 2015.
Since then, a remote code execution vulnerability tracked as CVE-2018-18472 was disclosed along with a public proof-of-concept exploit.
It is believed that a threat actor performed a mass scan of the Internet for vulnerable devices and used this vulnerability to issue the factory-reset command.
Update 6/24/21: Added statement from Wester Digital
Update 6/25/21: Added information about vulnerability and recovery options.
Update 6/26/21: Added full updated statement.
Thx to Tim from desert datarecovery for the tip.
Comments
joshwenke - 2 years ago
I have one of these devices, connected to the internet and MyCloud, and was able to log in successfully. No files were deleted. Perhaps because I use a random strong unique password?
aei31 - 2 years ago
Nobody needs your password for this, lol! What do you think people are talking about here?
Your device simply hasn't been seen yet by the scanners.
Amigo-A - 2 years ago
In addition, there was a ransomware attack on the same NAS WD devices.
FORUM: https://www.bleepingcomputer.com/forums/t/753400/0xxx-ransomware-0xxx-support-topic/
My Tweet: https://twitter.com/Amigo_A_/status/1407263047845023744
Description: https://id-ransomware.blogspot.com/2021/06/0xxx-ransomware.html
Amigo-A - 2 years ago
When you reset the settings, the files disappear, but they are not deleted. A good data recovery software and software and hardware complex can recover both old partitions and files in them.
Only here there are two nuances.
1) If the partitions are restored correctly, the files can also be back without running the recovery of each file.
2) If you do not restore partitions, but to start file recovery, but 'where' then to save the data? The victim will need another very large and clean storage to restore data to it.
kamp9 - 2 years ago
My WD My Book Live was also wiped clean and I lost all of my personal data including photos since last 40 years on the drive.
Some-Other-Guy - 2 years ago
Regardless of whether this was a WD screw-up, or caused by malicious actors, YOU are the one who is responsible for losing all of your data!
kamp9 - 2 years ago
thank you wise guy. I know I am at fault for losing my data. Only purpose to post my comment was if some reasonable person would suggest a solution to retrieve the data.
Mr.Tom - 2 years ago
kamp9; I've had some success in the past the Active File Recovery or Active Partition Recovery. Both can scan the drive and find remnants of a partition, but File Recovery is good for scanning the whole drive using templates to piece together files. Photos are the easiest things to recovery and piece back together.
https://www.lsoft.net/partition-recovery/
You'll require another drive to copy the data to. As far as how to do all of this, you'll have to read up on instructions. But their partition recovery tool is kinda neat.
Some-Other-Guy - 2 years ago
<p>Western Digital is offering data recovery services beginning in July, and a trade-in program to switch the obsolete My Book Live drives for more modern My Cloud devices. If you own one of the affected devices, do not connect it to the Internet and contact Western Digital for support.</p>
Tom_O - 2 years ago
Kamp9 and others: This vulnerability was disclosed many years ago. You may as well consider any internet connected technology that is no longer supported as vulnerable. For the WD Cloud series of NAS drives, there is really no reason to have it connected to the internet, only your local home network. Almost everyone today has duplicate cloud storage available on either Google or Microsoft's OneDrive. The amounts allotted for free are generally enough for everyone's personal file backups. Keep in mind that these cloud services should be used as a redundant storage, your home NAS drive should also be redundant. It also doesn't hurt to have a tertiary external drive that you update periodically and store in a fire-proof safe or cabinet.
Regarding the WD Cloud NAS drives of the older vintage, they typically run and follow a UNIX operating system. So, when choosing a hard drive repair tool, be sure it supports UNIX. The other option would be to connect the drive to a non-Windows PC, preferably a Linux PC, which utilizes the UNIX OS. Then utilize a tool made for Linux.
From what I've seen online, the USB interface is not necessarily the best alternative to attaching the drive to a PC. Some other users have elected to disassemble the unit and connect the drives via their SATA connector. However, finding disassembly instructions are not easy. Here is one link to a YouTube video, but may not be for your exact version: https://www.youtube.com/watch?v=TGLJi66vxnY
To find an appropriate tool for recovering the partitions, try Googling "unix partition recovery", or similar. Remember, Linux PC's use a command line structure, similar to the old DOS of Windows. So, it may take some time to become familiar with and not make a mistake with the commands necessary to recover your data. Go slow. Good luck.
kamp9 - 2 years ago
To Tom & Tom_O - thank you very much guys for your helpful comments & suggestions. I will keep you guys posted about the outcome of my efforts to retrieve the data.
Thank you.
SpookFox - 2 years ago
My 2 T RAID 1 WD Live Duo also got wiped, but I seem to be one of the lucky ones, I had a WD My Passport plugged into the USB running weekly Save Points, fortunately the reset does not affect connected USB devices and I am fortunate to have a 6 day old pristine Save Point with the contents of each share intact. Just bought a 4T My Cloud to restore it on. A 4T My Pasport is also on order
StefanR - 2 years ago
Same problem with my WD My Book Live. I lost all the data. The name of the Server is the same but all the data is lost. I made a full backup last week. I restored the data and I desactivated de 'Remote Access'. I hope the wipe can not happens again. Hopefully WD will bring a new firmware update to protect the NAS.