WD My Reserve NAS devices are remaining remotely wiped cleanse around the world

Western Digital My Book Dwell NAS proprietors all over the world located that their products have been mysteriously manufacturing facility reset and all of their files deleted.

WD My E-book is a network-attached storage device that seems to be like a small vertical book that you can stand on your desk. The WD My Ebook Dwell app allows owners to accessibility their data files and regulate their gadgets remotely, even if the NAS is at the rear of a firewall or router.

Nowadays, WD My E-book Are living and WD My Reserve Dwell DUO owners around the globe instantly observed that all of their data files were mysteriously deleted, and they could no extended log into the system by using a browser or an app.

When they tried to log in by using the Net dashboard, the product said that they experienced an “Invalid password.”

“I have a WD My Book live linked to my home LAN and worked wonderful for many years. I have just discovered that by some means all the data on it is long gone currently, although the directories appears to be there but empty. Beforehand the 2T volume was nearly comprehensive but now it shows entire capability,” a WD My Guide owner claimed on the Western Digital Group Discussion boards.

“The even bizarre factor is when I check out to log into the control UI for analysis I was-only capable to get to this landing page with an input box for “owner password”. I have attempted the default password “admin” and also what I could set for it with no luck.”

My Ebook Live devices issued a manufacturing facility reset command

Following even further entrepreneurs verified that their devices experienced the very same issue, proprietors reported that the MyBook logs confirmed that the equipment gained a remote command to accomplish a manufacturing facility reset setting up at about 3 PM yesterday and by the night.

“I have found this in consumer.log of this drive now:
Jun 23 15:14:05 My BookLive factoryRestore.sh: commence script:
Jun 23 15:14:05 My BookLive shutdown[24582]: shutting down for procedure reboot
Jun 23 16:02:26 My BookLive S15mountDataVolume.sh: start off script: start
Jun 23 16:02:29 My BookLive _: pkg: wd-nas
Jun 23 16:02:30 My BookLive _: pkg: networking-standard
Jun 23 16:02:30 My BookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 My BookLive _: pkg: day-time
Jun 23 16:02:31 My BookLive _: pkg: alerts
Jun 23 16:02:31 My BookLive logger: hostname=My BookLive
Jun 23 16:02:32 My BookLive _: pkg: admin-relaxation-api
I think this is the offender of why this happens…No just one was even property to use this generate at this time…”

Contrary to QNAP units, which are typically related to the Net and uncovered to assaults this sort of as the QLocker Ransomware, the Western Digital My Guide devices are saved behind a firewall and talk via the My Ebook Stay cloud servers to deliver remote access.

Some end users have expressed worries that Western Digital’s servers were being hacked to let a danger actor to drive out a remote factory reset command to all equipment related to the provider.

If a threat actor wiped devices, it is peculiar as no one particular has claimed ransom notes or other threats, which means the attack was only intended to be destructive.

Some users influenced by this attack have reported achievements recovering some of their data files applying the PhotoRec file recovery device.

Unfortunately, other people have not experienced as significantly success.

If you very own a WD My E-book Stay NAS machine, Western Electronic strongly recommends that you disconnect the gadget from the Net.

“At this time, we propose you disconnect your My E-book Are living and My Guide Reside Duo from the World wide web to defend your data on the system,” Western Digital stated in an advisory.

Unpatched vulnerability considered to be at the rear of assaults

In a assertion shared with BleepingComputer, Western Digital has determined that My Book Stay and My E-book Stay Duo units linked straight to the Internet are are remaining specific working with a remote code execution vulnerability.

Western Electronic has determined that some My Reserve Stay and My Book Reside Duo units are currently being compromised through exploitation of a distant command execution vulnerability. In some scenarios, the attackers have induced a manufacturing facility reset that seems to erase all details on the machine.

We are reviewing log files which we have acquired from influenced prospects to further more characterize the assault and the mechanism of accessibility. The log files we have reviewed demonstrate that the attackers specifically related to the influenced My E book Are living units from a wide variety of IP addresses in distinctive nations around the world. This suggests that the affected products have been directly obtainable from the Web, either via immediate connection or by means of port forwarding that was enabled both manually or automatically by using UPnP.

In addition, the log files present that on some gadgets, the attackers set up a trojan with a file named “.nttpd,1-ppc-be-t1-z”, which is a Linux ELF binary compiled for the PowerPC architecture applied by the My E-book Are living and Reside Duo. A sample of this trojan has been captured for further more evaluation and it has been uploaded to VirusTotal.

Our investigation of this incident has not uncovered any evidence that Western Electronic cloud companies, firmware update servers, or buyer qualifications were being compromised. As the My Ebook Reside gadgets can be straight exposed to the online by port forwarding, the attackers might be capable to find susceptible devices as a result of port scanning.

We understand that our customers’ info is very crucial. We do not however recognize why the attacker brought on the manufacturing unit reset however, we have acquired a sample of an affected machine and are investigating further. Moreover, some shoppers have noted that details recovery instruments may well be equipped to get well info from impacted gadgets, and we are currently investigating the efficiency of these instruments.

The WD My E book Stay equipment obtained their final firmware update in 2015.

Because then, a remote code execution vulnerability tracked as CVE-2018-18472 was disclosed together with a community proof-of-idea exploit.

It is thought that a threat actor done a mass scan of the Net for susceptible products and utilized this vulnerability to difficulty the factory-reset command.

Update 6/24/21: Additional assertion from Wester Digital
Update 6/25/21: Included details about vulnerability and recovery solutions.
Update 6/26/21: Extra entire updated statement.

Thx to Jol for the tip.