WD My Book Live storage drive is being wiped remotely - Disconnect Now

WD My Book Live storage drive is being wiped remotely - Disconnect Now

Updated with new information about a second previously unknown flaw exploited in an attack against WD My Book Live drives. This article was originally published on June 25, 2021.

Do you have a WD My Book Live network storage drive? Disconnect it from the Internet immediately or you will lose important data.

WD warns that some users have noticed that their data has been erased even though they did nothing. Apparently this is due to "malicious software" being circulated, and the company advises users to disconnect their drives from the Internet immediately.

Many WD My Book Live owners have confirmed that their devices received remote commands to perform a factory reset yesterday afternoon and evening.

Affected users have since discovered that all their data has been lost, and many of them are unable to log into their drives from both the web browser and app portals. They then tried the usual default administrator password, which did not work.

Oddly enough, some users report that the file structure is intact and the drive is full of empty folders. Another user confirmed that the drive only had the default folders when the drive was first booted.

Since WD My Book devices are stored behind their own firewall and can be accessed remotely via the My Book Live cloud server, some users have expressed concern that WD's server may have been hacked. This is a very valid concern.

However, WD's official statement claims that its cloud services and servers do not appear to have been compromised; in a statement to BleepingComputer, WD clarified that the affected devices were "configured by a threat actor."

Clearly, the erased WD My Book Live devices were affected by someone exploiting a known vulnerability in the device's software. This vulnerability allows anyone with knowledge of the IP address of an unpatched device (which can be learned through an Internet scan) to remotely execute root commands.

WD has confirmed that this issue is the result of a large-scale exploitation of the vulnerability. To make matters worse, the issue was apparently not patched when it was discovered and publicized in 2018; WD stated in an official statement that the affected drives received their last firmware update in 2015.

WD's official advice is to disconnect the My Book Live drives from the Internet to prevent the data from being erased. It is unclear if a patch will be provided to prevent this problem from spreading further.

Ars Technica, in conjunction with security firm Censys, conducted a detailed investigation of the log files of the erased My Book Live drives and found evidence that a second flaw, previously unknown to Western Digital, was used in the attack.

Additionally, the erasure of the drive may have been the result of a second attacker attempting to sabotage or steal the work of the first attacker.

The second flaw allows a remote user to factory reset the drive. This is possible because the protection code that forces the remote user to enter a password before factory resetting the drive has been disabled. This code is simply "commented out" with special characters so it can be read but not executed.

It is unclear why such an important feature in the WD My Book Live firmware was intentionally disabled, either during the initial release or during a firmware update, but it appears that this is what happened. The last firmware update for these drives was in 2015.

In fact, the Censys post claims that WD My Book Live drives were attacked by two different attackers. The first attacker used the known vulnerabilities mentioned above to embed botnet code into the drives, but did not erase the drives. A factory reset of the drive would have also erased the malware from the botnet.

The second attacker used this unknown new flaw to factory reset the drive, perhaps as part of a personal dispute with the first attacker or as part of an attempt to "steal" the drive for another botnet. While the first attack may have gone undetected by the owner/user of the drive for any length of time, the second attack was very blatant.

In any case, the advice is the same: disconnect your WD My Book Live network hard drive from the Internet.

.

Categories