Owners of Western Digital (WD) claim that their My Book Live and My Book Live Duo network-attached storage (NAS) devices have been wiped.
Threat actors forced a factory reset on the devices resulting in the deletion of all files.
“When I couldn’t access any of the 4 Network drives I created, I went to Network and double clicked on the MyBookLive Icon, which took me to the GUI page. A message popped up in the upper right that said the drive was factory reset. I wasn’t near my computer when this happened as the time stamp was earlier in the day. All WD is going to ask if we created a “Safepoint” which we could then recover the data from the last saved point. There has to be some “User Intervention” on WD’s part for this to happen to more than one person today.” reported a user on the WD Community forum.
“It is very scary that someone can do factory restore the drive without any permission granted from the end user…” wrote another user on the forum.
I have found this in user.log of this drive today:
Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script: Jun 23 15:14:05 MyBookLive shutdown: shutting down for system reboot Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start Jun 23 16:02:29 MyBookLive _: pkg: wd-nas Jun 23 16:02:30 MyBookLive _: pkg: networking-general Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav Jun 23 16:02:31 MyBookLive _: pkg: date-time Jun 23 16:02:31 MyBookLive _: pkg: alerts Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api
I believe this is the culprit of why this happens…No one was even home to use this drive at this time… P.S. You can use support->create and save system report to get all the logs. Please check yours and see what happened.”
Some of the users were able to recover the wiped files using a tool named PhotoRec.
WD is investigating the mysterious wave of attacks launched and speculates that attackers have been exploiting a known vulnerability, tracked as CVE-2018-18472, to wipe the devices.
The flaw is an unauthenticated Remote Command Execution issue that was exploited to compromise devices exposed online and in some cases the attackers also reset them to factory settings. The vendor pointed out that both My Book Live and My Book Live Duo devices received the last firmware update back in 2015 and are no longer supported.
“Western Digital WD My Book Live and WD My Book Live Duo (all versions) have a root Remote Command Execution bug via shell metacharacters in the /api/1.0/rest/language_configuration language parameter. It can be triggered by anyone who knows the IP address of the affected device, as exploited in the wild in June 2021 for factory reset commands,” reads the security advisory.
Western Digital recommends users disconnect their My Book Live and My Book Live Duo from the Internet .
(SecurityAffairs – hacking, Western Digital)