On June 24th 2021 Lawrence Abrahams of Bleeping Computer reported on a rather serious issue that effects consumers and businesses worldwide, pertaining to their personal data connected online via Western Digital MyBook Network Access Storage (NAS) Drives. Long of the short - users drives were being erased!
For individuals who used their WD as a primary source drive rather than a backup meant certain disaster as their data was now gone... if you've been a client of Bringing Your Tech to Life you've heard us say time and time again, "If your data is important keep it on two devices... and if it's really important two devices in two locations". This story, as with the many before it and the many that are sure to follow it, support this statement. Fast forward 12 days later (July 6th 2021) and Western Digital has responded via email to its users (yes you had to register your product) with a pretty solid solution that we at Bringing Your Tech to Life have to admit is the right steps to take from a customer service point of view.
What can we learn from this?
For starters backup your data! Preferably on a system that is offline (not the cloud) and off site.
Secondly stop using Hardware and/or Software that has reached End of Life (EOL). Yes I'm talking to those users still running Windows 7 (and older), iOS 11 (and older), Android 7.0 (and older) and macOS High Sierra 10.13 (and older)!
https://www.bleepingcomputer.com/news/security/wd-my-book-nas-devices-are-being-remotely-wiped-clean-worldwide/ Western Digital My Book Live NAS owners worldwide found that their devices have been mysteriously factory reset and all of their files deleted.
WD My Book Live is a network-attached storage device that looks like a small vertical book that you can stand on your desk. The WD My Book Live app allows owners to access their files and manage their devices remotely, even if the NAS is behind a firewall or router.
Today, WD My Book Live and WD My Book Live DUO owners worldwide suddenly found that all of their files were mysteriously deleted, and they could no longer log into the device via a browser or an app.
When they attempted to log in via the Web dashboard, the device stated that they had an "Invalid password."
"I have a WD My Book live connected to my home LAN and worked fine for years. I have just found that somehow all the data on it is gone today, while the directories seems there but empty. Previously the 2T volume was almost full but now it shows full capacity," a WD My Book owner reported on the Western Digital Community Forums.
"The even strange thing is when I try to log into the control UI for diagnosis I was-only able to get to this landing page with an input box for “owner password”. I have tried the default password “admin” and also what I could set for it with no luck."
My Book Live devices issued a factory reset command
After further owners confirmed that their devices suffered the same issue, owners reported that the MyBook logs showed that the devices received a remote command to perform a factory reset starting at around 3 PM yesterday and through the night.
"I have found this in user.log of this drive today: Jun 23 15:14:05 My BookLive factoryRestore.sh: begin script: Jun 23 15:14:05 My BookLive shutdown[24582]: shutting down for system reboot Jun 23 16:02:26 My BookLive S15mountDataVolume.sh: begin script: start Jun 23 16:02:29 My BookLive _: pkg: wd-nas Jun 23 16:02:30 My BookLive _: pkg: networking-general Jun 23 16:02:30 My BookLive _: pkg: apache-php-webdav Jun 23 16:02:31 My BookLive _: pkg: date-time Jun 23 16:02:31 My BookLive _: pkg: alerts Jun 23 16:02:31 My BookLive logger: hostname=My BookLive Jun 23 16:02:32 My BookLive _: pkg: admin-rest-api I believe this is the culprit of why this happens…No one was even home to use this drive at this time…"
Unlike QNAP devices, which are commonly connected to the Internet and exposed to attacks such as the QLocker Ransomware, the Western Digital My Book devices are stored behind a firewall and communicate through the My Book Live cloud servers to provide remote access.
Some users have expressed concerns that Western Digital's servers were hacked to allow a threat actor to push out a remote factory reset command to all devices connected to the service.
If a threat actor wiped devices, it is strange as no one has reported ransom notes or other threats, meaning the attack was simply meant to be destructive.
Some users affected by this attack have reported success recovering some of their files using the PhotoRec file recovery tool.
Unfortunately, other users have not had as much success.
If you own a WD My Book Live NAS device, Western Digital strongly recommends that you disconnect the device from the Internet.
"At this time, we recommend you disconnect your My Book Live and My Book Live Duo from the Internet to protect your data on the device," Western Digital said in an advisory.
Unpatched vulnerability believed to be behind attacks
In a statement shared with BleepingComputer, Western Digital has determined that My Book Live and My Book Live Duo devices connected directly to the Internet are are being targeted using a remote code execution vulnerability.
Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability. In some cases, the attackers have triggered a factory reset that appears to erase all data on the device. We are reviewing log files which we have received from affected customers to further characterize the attack and the mechanism of access. The log files we have reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries. This indicates that the affected devices were directly accessible from the Internet, either through direct connection or through port forwarding that was enabled either manually or automatically via UPnP. Additionally, the log files show that on some devices, the attackers installed a trojan with a file named “.nttpd,1-ppc-be-t1-z”, which is a Linux ELF binary compiled for the PowerPC architecture used by the My Book Live and Live Duo. A sample of this trojan has been captured for further analysis and it has been uploaded to VirusTotal. Our investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised. As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning. We understand that our customers’ data is very important. We do not yet understand why the attacker triggered the factory reset; however, we have obtained a sample of an affected device and are investigating further. Additionally, some customers have reported that data recovery tools may be able to recover data from affected devices, and we are currently investigating the effectiveness of these tools.
The WD My Book Live devices received their final firmware update in 2015.
Since then, a remote code execution vulnerability tracked as CVE-2018-18472 was disclosed along with a public proof-of-concept exploit.
It is believed that a threat actor performed a mass scan of the Internet for vulnerable devices and used this vulnerability to issue the factory-reset command.
Update 6/24/21: Added statement from Wester Digital Update 6/25/21: Added information about vulnerability and recovery options. Update 6/26/21: Added full updated statement.
Hello My Book™ Live/My Book Live Duo Customer,
If you are a My Book Live or My Book Live Duo customer, we are offering the following limited time offer:
Trade-In Offer:
Western Digital is offering current registered My Book Live or My Book Live Duo customers a trade-in discount of 40% off a select new My Cloud™ Home personal cloud storage or My Cloud EX2 Ultra 2-bay network attached storage device. For more information regarding the trade-in offer for eligible devices, please visit My Book Live and My Book Live Duo: Trade-In Offer.
Offer Details Trade In
Western Digital is offering eligible customers a trade-in option to upgrade their qualifying MyBook Live or My Book Duo products to a select new My Cloud Home or My Cloud EX2 Ultra device.
Qualifying Products
The following models of My Book Live and My Book Live Duo devices from Western Digital:
My Book Live
WDBACG0030HCH
WDBACG0020HCH
WDBACG0010HCH
My Book Live Duo
WDBVHT0080JCH
WDBVHT0060JCH
WDBVHT0040JCH
Trade-In Offer Registered customers can trade in any capacity of a Qualifying Product for one of the following products at 40% off the suggested retail price:
My Cloud Home 2TB (requires internet access)
My Cloud Home 4TB (requires internet access)
My Cloud Home 6TB (requires internet access)
My Cloud EX2 Ultra 2-bay NAS 4TB
My Cloud EX2 Ultra 2-bay NAS 8TB
Some products may not be available in every country. In such instances, Western Digital Support will identify an alternative for the customer.
Eligibility Requirements The following requirements must be met in order to be eligible for this Trade-In Offer:
The Customer must have contacted Western Digital Support and be issued a case number for each Qualifying Product by September 30, 2021. The Customer must provide the serial number for each Qualifying Product.
Each Qualifying Product must be intact with all parts included. A single, non-transferrable trade-in discount will be available per Qualifying Product that meets these Eligibility Requirements. This Offer cannot be combined, used in conjunction with, or used in addition to any other promotion or offer. This offer may not be available in all regions of the world. Western Digital reserves the right to change or discontinue this offer at any time without notice. Up to 2 Qualifying Products per customer are eligible for this Offer.
The trade-in discount must be used within 30-days of receiving the case number from Western Digital Support.
Trade-In Procedures
Customers should have the following information ready prior to contacting the Western Digital Support Team:
Device Model and Model #
Device Serial Number
If a Qualifying Product meets the Eligibility Requirements, a case number will be assigned to the Customer for each eligible and Qualifying Product for tracking.
Along with a case number, the Customer will receive a single use discount code to purchase one of the stated products through the online Western Digital Store or Western Digital selected authorized re-seller, subject to expiration date and offer restrictions.
If the Customer is not participating in the Data Recovery Service Offer, then the Customer must return the original Qualifying Product to Western Digital within 30-days of opening a case with Western Digital Support.
Turnaround Time The duration required to receive the new product will follow standard delivery times provided by the online Western Digital Store or Western Digital selected authorized re-seller, shipping carriers, and customer selection of shipment method.
Additionally, if you are a My Book Live or My Book Live Duo customer that has lost data as result of the recent security incident, we are here to help you by offering the following service.
Data Recovery Service (“DRS”) Offer:
Western Digital will help to recover your data using the data recovery services provided by a Western Digital-selected vendor. Western Digital will cover all the costs of shipment of the qualifying product to the DRS vendor and for the DRS. Recovered data, if any, will then be sent to you on one or more My Passport™ portable hard drives. For a list of qualifying products and eligibility requirements, please visit My Book Live and My Book Live Duo: Data Recovery Offer.
Offer Details Data Recovery Service
Recently, some My Book Live and My Book Live Duo products experienced data loss due to a security incident. In relation to this security incident, Western Digital will help eligible customers with qualifying products recover their data using the data recovery services (DRS) provided by a Western Digital-selected vendor. Western Digital will cover costs of shipment of the qualifying product to the DRS vendor and for the DRS. Recovered data, if any, will be sent to the customer on a My Passport drive.
Qualifying Products
The following models of My Book Live and My Book Live Duo products from Western Digital:
My Book Live
WDBACG0030HCH
WDBACG0020HCH
WDBACG0010HCH
My Book Live Duo
WDBVHT0080JCH
WDBVHT0060JCH
WDBVHT0040JCH
Eligibility Requirements The following requirements must be met in order to be eligible for this DRS Offer:
The customer with a Qualifying Product must have contacted Western Digital Support and be issued a case number by no later than July 31, 2021.
The Qualifying Product must be determined to have suffered a data loss prior to July 1, 2021 due to the security incident described in the security bulletin (WDC-21008) issued June 24, 2021. Western Digital Support will work with the customer to make the determination.
Device Return Procedures
Customers should have the following information ready prior to contacting the Western Digital Support Team:
Device Model and Model #
Device Serial Number
If a Qualifying Product meets the Eligibility Requirements, a case number will be assigned to the customer for each eligible and Qualifying Product for tracking.
Along with a case number, the customer will receive step by step instructions to ship their product, at no shipping cost to the customer, to a designated Western Digital DRS vendor.
The DRS vendor will use commercially reasonable efforts to recover the data and return any recovered data on one or more encrypted My Passport drives. Western Digital and its DRS vendors make no warranty, express or implied, that data will be successfully recovered. Appropriate data handling release forms will be required to comply with regional data privacy practices.
The My Book Live, My Book Live Duo product itself, and any internal storage drives will not be returned. In the event the DRS vendor cannot recover any data, the customer will be informed. Additionally, the customer shall receive a trade-in option per the My Book Live and My Book Live Duo Trade-In Offer.
Turnaround Time The duration for the Data Recovery to receive, process, and ship a physical drive back to the customer, or send a communication that no data could be recovered may vary. Customers should expect an outcome typically within two to six weeks of sending in their drive to the DRS vendor.
At Western Digital, we strive to continually improve our products and customer experiences. To take advantage of either of these services, or if you have any questions, please contact our Western Digital Support Team. Sincerely, Western Digital