Western Electronic My Book Live NAS homeowners around the globe observed that their products have been mysteriously factory reset and all of their information deleted.
WD My E-book Dwell is a community-attached storage product that appears like a small vertical ebook that you can stand on your desk. The WD My Ebook Live app makes it possible for homeowners to obtain their files and deal with their gadgets remotely, even if the NAS is driving a firewall or router.
Currently, WD My Guide Stay and WD My Ebook Are living DUO owners globally all of a sudden identified that all of their information have been mysteriously deleted, and they could no more time log into the system by way of a browser or an application.
When they tried to log in through the Website dashboard, the unit said that they had an “Invalid password.”
“I have a WD My Guide are living connected to my residence LAN and labored great for years. I have just located that somehow all the data on it is long gone right now, while the directories would seem there but empty. Beforehand the 2T volume was nearly comprehensive but now it reveals comprehensive potential,” a WD My E book proprietor described on the Western Electronic Local community Discussion boards.
“The even strange point is when I test to log into the manage UI for prognosis I was-only in a position to get to this landing page with an input box for “owner password”. I have attempted the default password “admin” and also what I could set for it with no luck.”
My E book Stay products issued a manufacturing unit reset command
Just after additional homeowners verified that their devices experienced the identical difficulty, homeowners described that the MyBook logs showed that the products been given a remote command to perform a manufacturing unit reset beginning at all over 3 PM yesterday and by way of the evening.
“I have uncovered this in person.log of this generate currently:
Jun 23 15:14:05 My BookLive factoryRestore.sh: start out script:
Jun 23 15:14:05 My BookLive shutdown: shutting down for procedure reboot
Jun 23 16:02:26 My BookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 My BookLive _: pkg: wd-nas
Jun 23 16:02:30 My BookLive _: pkg: networking-common
Jun 23 16:02:30 My BookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 My BookLive _: pkg: date-time
Jun 23 16:02:31 My BookLive _: pkg: alerts
Jun 23 16:02:31 My BookLive logger: hostname=My BookLive
Jun 23 16:02:32 My BookLive _: pkg: admin-rest-api
I believe that this is the culprit of why this happens…No one particular was even house to use this push at this time…”
Compared with QNAP units, which are usually linked to the Online and exposed to attacks these kinds of as the QLocker Ransomware, the Western Digital My Guide units are stored guiding a firewall and communicate by means of the My E book Reside cloud servers to provide distant accessibility.
Some people have expressed fears that Western Digital’s servers have been hacked to let a menace actor to drive out a distant factory reset command to all devices related to the services.
If a threat actor wiped devices, it is bizarre as no a person has documented ransom notes or other threats, this means the assault was only intended to be damaging.
Some buyers impacted by this assault have noted achievements recovering some of their documents employing the PhotoRec file restoration software.
Sadly, other customers have not experienced as substantially achievements.
If you own a WD My Guide Dwell NAS unit, Western Electronic strongly recommends that you disconnect the unit from the Web.
“At this time, we suggest you disconnect your My Reserve Stay and My Book Stay Duo from the Internet to secure your information on the machine,” Western Electronic explained in an advisory.
Unpatched vulnerability believed to be driving attacks
In a statement shared with BleepingComputer, Western Electronic has decided that My E book Live and My E-book Stay Duo units related immediately to the Internet are are currently being specific utilizing a remote code execution vulnerability.
Western Electronic has decided that some My Guide Reside and My Book Dwell Duo devices are remaining compromised through exploitation of a remote command execution vulnerability. In some cases, the attackers have brought on a manufacturing facility reset that appears to erase all details on the gadget.
We are examining log information which we have gained from influenced clients to further characterize the assault and the mechanism of access. The log files we have reviewed present that the attackers instantly linked to the afflicted My Guide Reside equipment from a wide range of IP addresses in unique international locations. This suggests that the influenced devices had been instantly obtainable from the Online, either as a result of direct link or as a result of port forwarding that was enabled possibly manually or immediately via UPnP.
Furthermore, the log files demonstrate that on some products, the attackers installed a trojan with a file named “.nttpd,1-ppc-be-t1-z”, which is a Linux ELF binary compiled for the PowerPC architecture utilized by the My Guide Are living and Are living Duo. A sample of this trojan has been captured for more investigation and it has been uploaded to VirusTotal.
Our investigation of this incident has not uncovered any proof that Western Digital cloud companies, firmware update servers, or purchaser credentials ended up compromised. As the My E book Dwell products can be instantly uncovered to the web by port forwarding, the attackers could be capable to learn susceptible products via port scanning.
We understand that our customers’ facts is quite crucial. We do not nevertheless have an understanding of why the attacker induced the manufacturing unit reset having said that, we have attained a sample of an afflicted gadget and are investigating additional. Also, some clients have claimed that knowledge restoration tools could be capable to get well details from influenced gadgets, and we are at the moment investigating the usefulness of these equipment.
The WD My E-book Stay products received their remaining firmware update in 2015.
Considering the fact that then, a distant code execution vulnerability tracked as CVE-2018-18472 was disclosed alongside with a community evidence-of-principle exploit.
It is considered that a danger actor done a mass scan of the World wide web for susceptible products and employed this vulnerability to situation the manufacturing unit-reset command.
Update 6/24/21: Additional statement from Wester Electronic
Update 6/25/21: Added details about vulnerability and restoration choices.
Update 6/26/21: Included full updated statement.
Thx to Tim from desert datarecovery for the tip.