My Book Live Users Wake Up to Wiped Devices, Active RCE Attacks

3 years ago 157
BOOK THIS SPACE FOR AD
ARTICLE AD

“I am totally screwed,” one user wailed after finding years of data nuked. Western Digital advised yanking the NAS storage devices offline ASAP: There’s an exploit.

If you haven’t already, stop reading and go yank your My Book Live storage device offline, lest you join the ranks of those who woke up on Thursday to find that years of data had been wiped clean on devices around the world.

Western Digital’s My Book storage device is designed for consumers and businesses. It typically plugs into computers via USB. The specific model involved in the data-demolition incident is known as My Book Live: a model that uses an Ethernet cable to connect to a local network. Users can remotely access files and make configuration changes through Western Digital’s cloud infrastructure.

Western Digital is blaming the remote wipes – which have happened even if the network-attached storage (NAS) devices are behind a firewall or router – on the exploitation of a remote command-execution (RCE) vulnerability.

The compromise delivers the data slaughter in the form of a factory reset that “appears to erase all data on the device,” according to Western Digital’s advisory.

It was BleepingComputer’s Lawrence Abrams that first came across the issue being reported on the Western Digital community forum. One user using the handle “sunpeak” said that their folders all had an edit date of June 23 (Wednesday), around 3 p.m. PT/6 p.m. ET. Scores of other forum members confirmed receiving the factory-reset messages, and confirmed the timing.

Sunpeak went on to describe how they discovered that 2T of data – an almost full disk – went up in a puff of smoke, leaving the directories still there but echoing, all emptied out.

“Previously the 2T volume was almost full but now it shows full capacity,” sunpeak said, going on to describe how, upon trying to login to the control user interface to diagnose the issue, they were only able to get to the landing page shown below, which prompted them to input their “owner password.”

The WD My Book landing page users saw after their devices were wiped. Source: WD Community forum.

When sunpeak attempted to input the default password “admin,” it didn’t work. Nor did the landing page offer the option of resetting or retrieving the password.

The user wrote that it is “very scary” that a threat actor could perform a factory reset on drives without permission granted by end users. Sunpeak offered up these entries from their drive’s user.log:

Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 MyBookLive shutdown[24582]: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive _: pkg: wd-nas
Jun 23 16:02:30 MyBookLive _: pkg: networking-general
Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 MyBookLive _: pkg: date-time
Jun 23 16:02:31 MyBookLive _: pkg: alerts
Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive
Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api

“I believe this is the culprit of why this happens,” sunpeak wrote. “No one was even home to use this drive at this time.”

Years of Data: Now Toast

Some of the wails of pain that arose from Western Digital users on the forum:

I’m not going to lie, I have been in tears over this pretty much all day. I started a new job 7 months ago and all my data/work was on here (yes, this was not backed up as I only do back ups every 6 months or so and it’s been busy :frowning: ). I can’t beleive [sic] this has happened, it doesn’t seem real, but I will absoutely [sic] pursue every avenue I can to get them to at least tell me what they’ve done so I can instruct professional data recovery services (and then I will do all i can to hold them to account as well. P***** off is an understatement). —Sammie101

All my data is gone too. Message in GUI says it was “Factory reset” today! 06/23. I am totally screwed without that data…years of it. —Marknj1

Dusty Devices, Old Firmware

Western Digital stopped supporting My Book Live in 2015. That was the date of the last firmware update for its My Book Live and My Book Live Duo devices, according to its advisory. The company gave the obligatory “customers’ data is very important” message and said that it’s “actively investigating the issue.” Western Digital promised to update its advisory when it has more information.

Western Digital sent a statement to news outlets, including Ars Technica, saying that the company has no indications that its cloud services or systems were breached:

The incident is under active investigation from Western Digital. We do not have any indications of a breach or compromise of Western Digital cloud services or systems.

We have determined that some My Book Live devices have been compromised by a threat actor. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live device received its final firmware update in 2015.

At this time, we are recommending that customers disconnect their My Book Live devices from the Internet to protect their data on the device.

We…will provide updates to this thread when they are available.

Threatpost has reached out to Western Digital for an update on the investigation.

Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free.

Read Entire Article