My Book Live Users Wake Up to Wiped Devices, Active RCE Attacks

“I am totally screwed,” one user wailed after finding years of data nuked. Western Digital advised yanking the NAS storage devices offline ASAP: There’s an exploit.

If you haven’t already, stop reading and go yank your My Book Live storage device offline, lest you join the ranks of those who woke up on Thursday to find that years of data had been wiped clean on devices around the world.

Western Digital’s My Book storage device is designed for consumers and businesses. It typically plugs into computers via USB. The specific model involved in the data-demolition incident is known as My Book Live: a model that uses an Ethernet cable to connect to a local network. Users can remotely access files and make configuration changes through Western Digital’s cloud infrastructure.

Western Digital is blaming the remote wipes – which have happened even if the network-attached storage (NAS) devices are behind a firewall or router – on the exploitation of a remote command-execution (RCE) vulnerability.

The compromise delivers the data slaughter in the form of a factory reset that “appears to erase all data on the device,” according to Western Digital’s advisory.

It was BleepingComputer’s Lawrence Abrams that first came across the issue being reported on the Western Digital community forum. One user using the handle “sunpeak” said that their folders all had an edit date of June 23 (Wednesday), around 3 p.m. PT/6 p.m. ET. Scores of other forum members confirmed receiving the factory-reset messages, and confirmed the timing.

Sunpeak went on to describe how they discovered that 2T of data – an almost full disk – went up in a puff of smoke, leaving the directories still there but echoing, all emptied out.

“Previously the 2T volume was almost full but now it shows full capacity,” sunpeak said, going on to describe how, upon trying to login to the control user interface to diagnose the issue, they were only able to get to the landing page shown below, which prompted them to input their “owner password.”

The WD My Book landing page users saw after their devices were wiped. Source: WD Community forum.

When sunpeak attempted to input the default password “admin,” it didn’t work. Nor did the landing page offer the option of resetting or retrieving the password.

The user wrote that it is “very scary” that a threat actor could perform a factory reset on drives without permission granted by end users. Sunpeak offered up these entries from their drive’s user.log:

Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 MyBookLive shutdown[24582]: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive _: pkg: wd-nas
Jun 23 16:02:30 MyBookLive _: pkg: networking-general
Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 MyBookLive _: pkg: date-time
Jun 23 16:02:31 MyBookLive _: pkg: alerts
Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive
Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api

“I believe this is the culprit of why this happens,” sunpeak wrote. “No one was even home to use this drive at this time.”

Years of Data: Now Toast

Some of the wails of pain that arose from Western Digital users on the forum:

I’m not going to lie, I have been in tears over this pretty much all day. I started a new job 7 months ago and all my data/work was on here (yes, this was not backed up as I only do back ups every 6 months or so and it’s been busy :frowning: ). I can’t beleive [sic] this has happened, it doesn’t seem real, but I will absoutely [sic] pursue every avenue I can to get them to at least tell me what they’ve done so I can instruct professional data recovery services (and then I will do all i can to hold them to account as well. P***** off is an understatement). —Sammie101

All my data is gone too. Message in GUI says it was “Factory reset” today! 06/23. I am totally screwed without that data…years of it. —Marknj1

Dusty Devices, Old Firmware

Western Digital stopped supporting My Book Live in 2015. That was the date of the last firmware update for its My Book Live and My Book Live Duo devices, according to its advisory. The company gave the obligatory “customers’ data is very important” message and said that it’s “actively investigating the issue.” Western Digital promised to update its advisory when it has more information.

Western Digital sent a statement to news outlets, including Ars Technica, saying that the company has no indications that its cloud services or systems were breached:

The incident is under active investigation from Western Digital. We do not have any indications of a breach or compromise of Western Digital cloud services or systems.

We have determined that some My Book Live devices have been compromised by a threat actor. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live device received its final firmware update in 2015.

At this time, we are recommending that customers disconnect their My Book Live devices from the Internet to protect their data on the device.

We…will provide updates to this thread when they are available.

Threatpost has reached out to Western Digital for an update on the investigation.

Blaming the Backupless Victims

Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation told Threatpost on Friday that it’s not clear where the responsibility for this disaster falls: with Western Digital, or the users who didn’t have alternative backups?

“In this day and age, consumers have to be just as diligent as enterprise businesses when it comes to cyber security,” Bar-Dayan said in an email. “Enterprise security teams understand that vulnerabilities come in all shapes and sizes. In the case of the Western Digital My Book Live devices, threat actors took advantage of a daisy chained set of circumstances to wipe the data from exposed hard drives. Consumers should have known to keep the drive firmware patched, and to only connect the drives to the internet when necessary. But, where does the responsibility fall? On the consumer or on Western Digital? There isn’t a clear cut answer in this case.”

Alec Alvarado, Threat Intelligence Team Lead at digital risk protection provider Digital Shadows, told Threatpost on Friday that from an organizational perspective, issuing patches for publicly disclosed vulnerabilities and ensuring user awareness that a vulnerability exists are “all steps in the right direction.” But from a user’s perspective, “having backups of critical data in more than one secured place can be a fail-safe for similar situations.”

At any rate, this is certainly not the first time we’ve seen data nightmares swallow NAS devices. In late March, legacy QNAP NAS devices were found to be vulnerable to a zero-day attack that would allow an attacker to manipulate stored data and hijack the device.

And before that, in December 2020, high-severity cross-site scripting flaws were discovered that could allow remote-code injection, also on QNAP NAS systems.

Alvarado said that misconfiguration is typically the culprit for NAS data being inadvertently exposed. However, he added, exploitation of vulnerabilities in NAS drives is “still relatively common” and “appears to be actively targeted by various threat actors.”

He pointed to the QNAP NAS devices’ RCE vulnerabilities as being an example of how ransomware actors aren’t always focused on “big game.” That’s just “wishful thinking, Alvarado said via email, given how the Qlocker ransomware group reportedly made $350,000 in a month’s worth of extortion by exploiting RCE vulnerabilities in QNAP devices. “If threat actors can find a use for a vulnerability, especially one with an existing publicly available POC, it is safe to assume they will exploit it,” he said.

Garret Grajek, CEO of YouAttest, a cloud identity attestation company, said that the My Book attack “illuminates a bigger problem,” – namely, in access review and certification of privileges and access on the part of both users and processes. “Many of these hacks are the [result] of configurations where privileges to resources were over-granted,” he told Threatpost on Friday. “We must do systematic and regular reviews of access to our key resources and install triggers to these permissions when [privileges] change.”

Ransomware or Lulz?

As yet, there haven’t been any ransom notes reported, insinuating that perhaps extortion wasn’t the end game in the Western Digital NAS attack. Maybe the threat actor just wanted to flex their muscle to see if the exploit would work, Alvarado suggested, “in a ‘some just want to see the world burn’ fashion.”

Time, and Western Digital’s investigation, will hopefully tell.

062521 12:20 UPDATE: Added input from Yaniv Bar-Dayan, Alec Alvarado and Garret Grajek.

Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free.

Suggested articles

Discussion

  • Boris on

    Logs on the NAS show that the hackers downloaded three PHP scripts to the NAS from a server in Russia. One of the scripts replaced the login page and looks like was capturing the admin password. So users thinking they are logging into their NAS were actually entering their password to the login page modified by Russians.
  • JS on

    This affected me and I hope there is a way to recover these files. I have sent it to a data backup company.

Leave A Reply to JS Cancel Reply

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.