Western Digital My Book Live NAS proprietors throughout the world located that their units have been mysteriously factory reset and all of their information deleted.
WD My Ebook Live is a network-hooked up storage product that seems to be like a modest vertical reserve that you can stand on your desk. The WD My Book Reside app enables homeowners to entry their data files and regulate their gadgets remotely, even if the NAS is at the rear of a firewall or router.
Now, WD My Reserve Live and WD My Book Reside DUO owners around the world suddenly identified that all of their data files were being mysteriously deleted, and they could no for a longer period log into the machine through a browser or an app.
When they attempted to log in by means of the World-wide-web dashboard, the unit stated that they experienced an “Invalid password.”
“I have a WD My E-book are living related to my home LAN and worked wonderful for many years. I have just found that by some means all the information on it is gone currently, while the directories looks there but empty. Previously the 2T volume was practically comprehensive but now it shows whole capacity,” a WD My E book owner described on the Western Electronic Local community Message boards.
“The even strange point is when I test to log into the command UI for diagnosis I was-only able to get to this landing web page with an enter box for “owner password”. I have tried out the default password “admin” and also what I could established for it with no luck.”
My Guide Are living products issued a manufacturing unit reset command
Immediately after even more proprietors confirmed that their devices endured the exact challenge, homeowners noted that the MyBook logs confirmed that the devices gained a remote command to perform a manufacturing facility reset starting at all-around 3 PM yesterday and as a result of the evening.
“I have identified this in person.log of this drive currently:
Jun 23 15:14:05 My BookLive factoryRestore.sh: get started script:
Jun 23 15:14:05 My BookLive shutdown: shutting down for technique reboot
Jun 23 16:02:26 My BookLive S15mountDataVolume.sh: get started script: commence
Jun 23 16:02:29 My BookLive _: pkg: wd-nas
Jun 23 16:02:30 My BookLive _: pkg: networking-normal
Jun 23 16:02:30 My BookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 My BookLive _: pkg: date-time
Jun 23 16:02:31 My BookLive _: pkg: alerts
Jun 23 16:02:31 My BookLive logger: hostname=My BookLive
Jun 23 16:02:32 My BookLive _: pkg: admin-relaxation-api
I believe this is the offender of why this happens…No just one was even residence to use this drive at this time…”
Contrary to QNAP equipment, which are commonly linked to the World-wide-web and uncovered to attacks these as the QLocker Ransomware, the Western Digital My E book units are stored at the rear of a firewall and converse via the My Book Are living cloud servers to present remote entry.
Some users have expressed problems that Western Digital’s servers were being hacked to enable a risk actor to drive out a distant factory reset command to all devices related to the provider.
If a danger actor wiped devices, it is weird as no just one has noted ransom notes or other threats, that means the attack was basically intended to be harmful.
Some people impacted by this assault have noted results recovering some of their data files making use of the PhotoRec file restoration tool.
Sad to say, other people have not had as much accomplishment.
If you individual a WD My Ebook Live NAS device, Western Digital strongly endorses that you disconnect the device from the Online.
“At this time, we recommend you disconnect your My Book Stay and My Ebook Live Duo from the Net to safeguard your details on the unit,” Western Digital said in an advisory.
Unpatched vulnerability thought to be behind assaults
In a assertion shared with BleepingComputer, Western Electronic has decided that My E-book Reside and My Guide Live Duo gadgets connected instantly to the Internet are are staying qualified working with a remote code execution vulnerability.
Western Digital has established that some My Ebook Live and My Ebook Are living Duo gadgets are getting compromised through exploitation of a remote command execution vulnerability. In some scenarios, the attackers have brought on a manufacturing facility reset that seems to erase all data on the system.
We are examining log information which we have received from impacted clients to additional characterize the assault and the mechanism of entry. The log information we have reviewed exhibit that the attackers specifically linked to the affected My E-book Reside devices from a assortment of IP addresses in distinctive countries. This indicates that the influenced units had been straight accessible from the Online, both by way of immediate link or as a result of port forwarding that was enabled either manually or automatically by means of UPnP.
On top of that, the log files display that on some equipment, the attackers put in a trojan with a file named “.nttpd,1-ppc-be-t1-z”, which is a Linux ELF binary compiled for the PowerPC architecture employed by the My Ebook Dwell and Stay Duo. A sample of this trojan has been captured for further examination and it has been uploaded to VirusTotal.
Our investigation of this incident has not uncovered any evidence that Western Digital cloud providers, firmware update servers, or shopper qualifications were compromised. As the My Guide Dwell products can be instantly exposed to the net by port forwarding, the attackers may perhaps be ready to find out vulnerable units through port scanning.
We have an understanding of that our customers’ knowledge is very crucial. We do not yet recognize why the attacker brought on the manufacturing unit reset nevertheless, we have obtained a sample of an afflicted gadget and are investigating further more. Moreover, some customers have claimed that facts recovery resources may perhaps be ready to get better info from influenced equipment, and we are at present investigating the usefulness of these tools.
The WD My Ebook Reside units gained their last firmware update in 2015.
Due to the fact then, a distant code execution vulnerability tracked as CVE-2018-18472 was disclosed along with a community proof-of-notion exploit.
It is believed that a threat actor carried out a mass scan of the Internet for vulnerable units and utilized this vulnerability to situation the manufacturing unit-reset command.
Update 6/24/21: Included assertion from Wester Electronic
Update 6/25/21: Added info about vulnerability and recovery alternatives.
Update 6/26/21: Added total up-to-date statement.
Thx to Tim from desert datarecovery for the idea.