A significant number of Western Digital My Book Live NAS owners are reporting that their drives have been totally erased. This has been done remotely by unknown attackers …
The company has confirmed that the attacks are occurring, and has advised owners to immediately disconnect their drives from the internet.
Logs suggest that a script is being run that instructs the drive to perform a factory reset, wiping all data.
Bleeping Computer reports.
Western Digital My Book NAS owners worldwide found that their devices have been mysteriously factory reset and all of their files deleted […]
Today, WD My Book owners worldwide suddenly found that all of their files were mysteriously deleted, and they could no longer log into the device via a browser or an app. When they attempted to log in via the Web dashboard, the device stated that they had an “Invalid password.”
“I have a WD My Book live connected to my home LAN and worked fine for years. I have just found that somehow all the data on it is gone today, while the directories seems there but empty. Previously the 2T volume was almost full but now it shows full capacity [free],” a WD My Book owner reported on the Western Digital Community Forums.
Some users hoped that the data might be intact, and simply that the drive management software could no longer see it, but using SSH shows that all files and directories are gone.
System logs show a script being run that resets the drives.
Jun 23 15:14:05 My BookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 My BookLive shutdown: shutting down for system reboot
Jun 23 16:02:26 My BookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 My BookLive : pkg: wd-nas Jun 23 16:02:30 My BookLive : pkg: networking-general
Jun 23 16:02:30 My BookLive : pkg: apache-php-webdav Jun 23 16:02:31 My BookLive : pkg: date-time
Jun 23 16:02:31 My BookLive : pkg: alerts Jun 23 16:02:31 My BookLive logger: hostname=My BookLive Jun 23 16:02:32 My BookLive : pkg: admin-rest-api
Such an attack should not be possible, as the drives are behind a firewall, with remote access only supposed to be permitted via the company’s My Book Live cloud servers after user authentication. Western Digital says that it “does not believe” its servers have been compromised, even though that seems the obvious explanation. One other possibility is that hackers have obtained login credentials from another website, as many people continue to re-use passwords despite all the warnings not to do so.
For now, WD is recommending unplugging the Ethernet cable.
Western Digital has determined that some My Book Live devices are being compromised by malicious software. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live device received its final firmware update in 2015. We understand that our customers’ data is very important. At this time, we recommend you disconnect your My Book Live from the Internet to protect your data on the device. We are actively investigating and we will provide updates to this thread when they are available.
Personally, until we know more about this security breach, I would do the same with any Western Digital NAS product.