Obsessed with technology?
Subscribe to the latest tech news as well as exciting promotions from us and our partners!
By subscribing, you indicate that you have read & understood the SPH's Privacy Policy and PDPA Statement.
News
News Categories

PSA: Disconnect your WD My Book Live and My Book Duo Live or risk losing your data

By Kenny Yeo - on 27 Jun 2021, 11:42am

PSA: Disconnect your WD My Book Live and My Book Duo Live or risk losing your data

Note: This article was first published on 25 June 2021 and has been updated with a statement from WD. Scroll to the end of the article to read it.

(Image source: WD)

Do you own a WD My Book Live or My Book Duo Live NAS drive? If you do, stop whatever you are doing right now and disconnect them.

WD has just issued this warning after a number of users have reported their data being mysteriously deleted with no action on their part.

Users have also reported that their devices have been factory reset and others said they are seeing a page requesting for a password that they do not know. 

Users who suffered this issue shared their logs which shows a factory reset being requested by an unknown source. Take a look:

Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 MyBookLive shutdown[24582]: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive _: pkg: wd-nas
Jun 23 16:02:30 MyBookLive _: pkg: networking-general
Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 MyBookLive _: pkg: date-time
Jun 23 16:02:31 MyBookLive _: pkg: alerts
Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive
Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api

WD is currently investigation this issue and in the meantime is advising its customers to disconnect their drives.

WD said:

Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live and My Book Live Duo devices received its final firmware update in 2015. We understand that our customers’ data is very important. We are actively investigating the issue and will provide an updated advisory when we have more information.

At this point, there's no indication that this issue affects WD's other NAS products.

**Update on 27 June 2021, 1130 hrs**

WD has shared a statement with BleepComputer and it says:

Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability. In some cases, the attackers have triggered a factory reset that appears to erase all data on the device.

We are reviewing log files which we have received from affected customers to further characterize the attack and the mechanism of access. The log files we have reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries. This indicates that the affected devices were directly accessible from the Internet, either through direct connection or through port forwarding that was enabled either manually or automatically via UPnP.

Additionally, the log files show that on some devices, the attackers installed a trojan with a file named “.nttpd,1-ppc-be-t1-z”, which is a Linux ELF binary compiled for the PowerPC architecture used by the My Book Live and Live Duo. A sample of this trojan has been captured for further analysis and it has been uploaded to VirusTotal.

Our investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised. As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning.

We understand that our customers’ data is very important. We do not yet understand why the attacker triggered the factory reset; however, we have obtained a sample of an affected device and are investigating further. Additionally, some customers have reported that data recovery tools may be able to recover data from affected devices, and we are currently investigating the effectiveness of these tools.

BleepingComputer goes on to report that these WD My Book Live devices received their final firmware update over 6 years ago in 2015.

And since that final update, a remote code execution vulnerability was discovered and tracked as CVE-2018-18472 and disclosed along with a public proof-of-concept exploit.

It is believed that it is this very exploit that the attacker used to reset users' WD My Book Live devices around the world.

Source: WD via Ars Technica and BleepingComputer

Join HWZ's Telegram channel here and catch all the latest tech news!
Our articles may contain affiliate links. If you buy through these links, we may earn a small commission.