If you have not already, stop reading & go take your My Book Live storage device offline, to make sure you do not join the ranks of those who woke up on Thur. to find that years of data had been wiped clean on devices worldwide.
“I am totally screwed,” 1 user stated after finding years of data gone. Western Digital advised pulling the NAS storage devices offline ASAP: There is an exploit.
Western Digital’s My Book storage device is designed for consumers & businesses. It typically plugs into computers via USB. The specific model involved in the data-demolition incident is known as My Book Live: a model that uses an Ethernet cable to connect to a local network. Users can remotely access files & make configuration changes through Western Digital’s cloud infrastructure.
Western Digital is blaming the remote wipes – which have happened even if the network-attached storage (NAS) devices are behind a firewall or router – on the exploitation of a remote command-execution (RCE) vulnerability.
The compromise delivers the data wipe-out in the form of a factory reset that “appears to erase all data on the device,” according to Western Digital’s advisory.
It was Bleeping Computer’s Lawrence Abrams that 1st came across the issue being reported on the Western Digital community forum. One user using the handle “sunpeak” said that their folders all had an edit date of June 23 (Wed.), around 3pm PT/6pm ET. Scores of other forum members confirmed receiving the factory-reset messages & confirmed the timing.
Sunpeak went on to describe how they discovered that 2T of data – an almost full disk – was lost, leaving the directories still there but echoing, all emptied out.
“Previously the 2T volume was almost full but now it shows full capacity,” Sunpeak informed, going on to describe how, upon trying to login to the control user interface to diagnose the issue, they were only able to get to the landing page shown below, which prompted them to input their “owner password.”
The WD My Book landing page users saw after their devices were wiped. Source: WD Community forum.
When Sunpeak attempted to input the default password “admin,” it did not work. Neither did the landing page offer the option of resetting or retrieving the password.
The user wrote that it is “very scary” that a threat player could perform a factory reset on drives without permission granted by end users. Sunpeak offered these entries from their drive’s user.log:
Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 MyBookLive shutdown: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive _: pkg: wd-nas
Jun 23 16:02:30 MyBookLive _: pkg: networking-general
Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 MyBookLive _: pkg: date-time
Jun 23 16:02:31 MyBookLive _: pkg: alerts
Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive
Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api
“I believe this is the culprit of why this happens,” Sunpeak wrote. “No one was even home to use this drive at this time.”
Years of Data
Some of the cries of pain that arose from Western Digital users on the forum:
‘I’m not going to lie; I have been in tears over this pretty much all day. I started a new job 7 months ago & all my data/work was on here (yes, this was not backed up as I only do backups every 6 months or so & it has been busy :frowning: ).
I cannot believe this has happened, it does not seem real, but I will absolutely pursue every avenue I can to get them to at least tell me what they have done so I can instruct professional data recovery services & then I will do all i can to hold them to account as well. P***** off is an understatement.’ —Sammie101
‘All my data is gone too. Message in GUI says it was “Factory reset” today! 06/23. I am totally screwed without that data…years of it.’ —Marknj1
Western Digital stopped supporting My Book Live in 2015. That was the date of the last firmware update for its My Book Live & My Book Live Duo devices, according to its advisory. The company gave the obligatory “customers’ data is very important” message & said that it’s “actively investigating the issue.” Western Digital promised to update its advisory when it has more information.
Western Digital sent a statement to news outlets, including Ars Technical, saying that the company has no indications that its cloud services or systems were breached:
The incident is under active investigation from Western Digital. We do not have any indications of a breach or compromise of Western Digital cloud services or systems.
We have determined that some My Book Live devices have been compromised by a threat player. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live device received its final firmware update in 2015.
At this time, we are recommending that customers disconnect their My Book Live devices from the Internet to protect their data on the device.
We…will provide updates to this thread when they are available.
Yaniv Bar-Dayan, CEO & co-founder at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation outlined that it is not clear where the responsibility for this disaster falls: with Western Digital, or the users who did not have alternative backups?
“In this day & age, consumers have to be just as diligent as enterprise businesses when it comes to cyber security,” Bar-Dayan explained. “Enterprise security teams understand that vulnerabilities come in all shapes & sizes. In the case of the Western Digital My Book Live devices, threat players took advantage of a daisy chained set of circumstances to wipe the data from exposed hard drives.
Consumers should have known to keep the drive firmware patched, & to only connect the drives to the internet when necessary. Where does the responsibility fall? On the consumer or on Western Digital? There isn’t a clear-cut answer in this case.”
Alec Alvarado, Threat Intelligence Team Lead at digital risk protection provider Digital Shadows, explained that from an organisational viewpoint, issuing patches for publicly disclosed vulnerabilities & ensuring user awareness that a vulnerability exists are “all steps in the right direction.”
From a user’s perspective, “having backups of critical data in more than 1 secured place can be a fail-safe for similar situations.”
This is not the 1st time we have seen data nightmares swallow NAS devices. In late Mar., legacy QNAP NAS devices were found to be vulnerable to a zero-day attack that would allow an attacker to manipulate stored data & hijack the device.
Before that, in Dec. 2020, high-severity cross-site scripting flaws were discovered that could allow remote-code injection, also on QNAP NAS systems.
Alvarado stated that misconfiguration is typically the culprit for NAS data being inadvertently exposed. However, he added, exploitation of vulnerabilities in NAS drives is “still relatively common” & “appears to be actively targeted by various threat actors.”
Months’ Worth of Extortion
He pointed to the QNAP NAS devices’ RCE vulnerabilities as being an example of how ransomware actors are not always focused on “big game.” That is just “wishful thinking, Alvarado observed, given how the Qlocker ransomware group reportedly made $350k in a month’s worth of extortion by exploiting RCE vulnerabilities in QNAP devices.
“If threat actors can find a use for a vulnerability, especially one with an existing publicly available POC, it is safe to assume they will exploit it,” he outlined.
Garret Grajek, CEO of You Attest, a cloud identity attestation company, stated that the My Book attack “illuminates a bigger problem,” – in access review & certification of privileges & access on the part of both users & processes.
“Many of these hacks are the result of configurations where privileges to resources were over-granted,” he explained Fri. “We must do systematic & regular reviews of access to our key resources & install triggers to these permissions when privileges change.”
Ransomware or Lulz?
So far, there have not been any ransom notes reported, insinuating that perhaps extortion was not the end game in the Western Digital NAS attack. Maybe the threat player just wanted to flex their muscle to see if the exploit would work, Alvarado suggested, “in a ‘some just want to see the world burn’ fashion.”
Time, & Western Digital’s investigation, will hopefully tell.