Threat actors are wiping many Western Digital (WD) My Book Live and My Book Live Duo NAS devices likely exploiting an old vulnerability.
Owners of Western Digital (WD) claim that their My Book Live and My Book Live Duo network-attached storage (NAS) devices have been wiped.
Threat actors forced a factory reset on the devices resulting in the deletion of all files.
“When I couldn’t access any of the 4 Network drives I created, I went to Network and double clicked on the MyBookLive Icon, which took me to the GUI page. A message popped up in the upper right that said the drive was factory reset. I wasn’t near my computer when this happened as the time stamp was earlier in the day. All WD is going to ask if we created a “Safepoint” which we could then recover the data from the last saved point. There has to be some “User Intervention” on WD’s part for this to happen to more than one person today.” reported a user on the WD Community forum.
“It is very scary that someone can do factory restore the drive without any permission granted from the end user…” wrote another user on the forum.
I have found this in user.log of this drive today:
Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script: Jun 23 15:14:05 MyBookLive shutdown[24582]: shutting down for system reboot Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start Jun 23 16:02:29 MyBookLive _: pkg: wd-nas Jun 23 16:02:30 MyBookLive _: pkg: networking-general Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav Jun 23 16:02:31 MyBookLive _: pkg: date-time Jun 23 16:02:31 MyBookLive _: pkg: alerts Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api
I believe this is the culprit of why this happens…No one was even home to use this drive at this time… P.S. You can use support->create and save system report to get all the logs. Please check yours and see what happened.”
Some of the users were able to recover the wiped files using a tool named PhotoRec.
WD is investigating the mysterious wave of attacks launched and speculates that attackers have been exploiting a known vulnerability, tracked as CVE-2018-18472, to wipe the devices.
The flaw is an unauthenticated Remote Command Execution issue that was exploited to compromise devices exposed online and in some cases the attackers also reset them to factory settings. The vendor pointed out that both My Book Live and My Book Live Duo devices received the last firmware update back in 2015 and are no longer supported.
“Western Digital WD My Book Live and WD My Book Live Duo (all versions) have a root Remote Command Execution bug via shell metacharacters in the /api/1.0/rest/language_configuration language parameter. It can be triggered by anyone who knows the IP address of the affected device, as exploited in the wild in June 2021 for factory reset commands,” reads the security advisory.
Western Digital recommends users disconnect their My Book Live and My Book Live Duo from the Internet .
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, Western Digital)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
Threat actors are wiping many Western Digital (WD) My Book Live and My Book Live Duo NAS devices likely exploiting an old vulnerability.
Owners of Western Digital (WD) claim that their My Book Live and My Book Live Duo network-attached storage (NAS) devices have been wiped.
Threat actors forced a factory reset on the devices resulting in the deletion of all files.
“When I couldn’t access any of the 4 Network drives I created, I went to Network and double clicked on the MyBookLive Icon, which took me to the GUI page. A message popped up in the upper right that said the drive was factory reset. I wasn’t near my computer when this happened as the time stamp was earlier in the day. All WD is going to ask if we created a “Safepoint” which we could then recover the data from the last saved point. There has to be some “User Intervention” on WD’s part for this to happen to more than one person today.” reported a user on the WD Community forum.
“It is very scary that someone can do factory restore the drive without any permission granted from the end user…” wrote another user on the forum.
I have found this in user.log of this drive today:
Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script: Jun 23 15:14:05 MyBookLive shutdown[24582]: shutting down for system reboot Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start Jun 23 16:02:29 MyBookLive _: pkg: wd-nas Jun 23 16:02:30 MyBookLive _: pkg: networking-general Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav Jun 23 16:02:31 MyBookLive _: pkg: date-time Jun 23 16:02:31 MyBookLive _: pkg: alerts Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api
I believe this is the culprit of why this happens…No one was even home to use this drive at this time… P.S. You can use support->create and save system report to get all the logs. Please check yours and see what happened.”
Some of the users were able to recover the wiped files using a tool named PhotoRec.
WD is investigating the mysterious wave of attacks launched and speculates that attackers have been exploiting a known vulnerability, tracked as CVE-2018-18472, to wipe the devices.
The flaw is an unauthenticated Remote Command Execution issue that was exploited to compromise devices exposed online and in some cases the attackers also reset them to factory settings. The vendor pointed out that both My Book Live and My Book Live Duo devices received the last firmware update back in 2015 and are no longer supported.
“Western Digital WD My Book Live and WD My Book Live Duo (all versions) have a root Remote Command Execution bug via shell metacharacters in the /api/1.0/rest/language_configuration language parameter. It can be triggered by anyone who knows the IP address of the affected device, as exploited in the wild in June 2021 for factory reset commands,” reads the security advisory.
Western Digital recommends users disconnect their My Book Live and My Book Live Duo from the Internet .
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, Western Digital)