Thought leadership. Threat analysis. Cybersecurity news and alerts.
Western Digital (WD) Hard Drives Remotely Wiped Clean Worldwide
Users worldwide of Western Digital (WD) hard drives, specifically My Book Live and My Book Live Duo devices, found their hard drives being wiped clean remotely last June 23.
Last June 24, a WD user named “sunpeak” started a thread on WD Community forum stating that all the data on his WD My Book Live device is gone. “Previously the 2T volume was almost full but now it shows full capacity,” sunpeak said.
Hundreds of WD My Book Live and My Book Live Duo devices echoed sunpeak, stating that their devices have been wiped clean remotely as well.
“It is very scary that someone can do factory restore the drive without any permission granted from the end user,” sunpeak said. The tread started said he found this user.log in the affected device:
Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 MyBookLive shutdown: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive _: pkg: wd-nas
Jun 23 16:02:30 MyBookLive _: pkg: networking-general
Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 MyBookLive _: pkg: date-time
Jun 23 16:02:31 MyBookLive _: pkg: alerts
Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive
Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api
Another WD user added this message to the thread: “All my data is gone too. Message in GUI says it was ‘Factory reset’ today! 06/23. I am totally screwed without that data … years of it.”
Western Digital Statement
Last June 25, US-based company Western Digital recommended to users to disconnect their My Book Live and My Book Live Duo devices from the internet to protect their data on these devices. My Book Live and My Book Live Duo devices were introduced to the market in 2010 and these devices received their final firmware update in 2015.
“Western Digital has determined that some My Book Live devices are being compromised by malicious software,” Western Digital said. “In some cases, this compromise has led to a factory reset that appears to erase all data on the device.”
According to Western Digital, the log files that they’ve reviewed show that the attackers directly connected to the affected My Book Live and My Book Live Duo devices from a variety of IP addresses in different countries. The company said this shows that the affected devices were directly accessible from the internet, via direct connection or port forwarding that was enabled either manually or automatically via UPnP.
“Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability,” Western Digital said.
The specific remote command execution vulnerability referred to by Western Digital is CVE-2018-18472 – in which all versions of Western Digital (WD) My Book Live has a root Remote Command Execution bug via shell metacharacters in the /api/1.0/rest/language_configuration language parameter. This security vulnerability can be triggered by anyone who knows the IP address of the affected device. A proof-of-concept on how to exploit CVE-2018-18472 is publicly available.
As the last firmware update of WD My Book Live and My Book Live Duo devices was in 2015, CVE-2018-18472 vulnerability, therefore, wasn’t answered by WD developers in 2015.
Other Cyberattacks Affecting Hard Drives/Backups
WD My Book Live and My Book Live Duo devices can be attached to the network, as such, they’re known as network-attached storage (NAS) devices. Other examples of NAS devices are those made by Taiwanese corporation QNAP Systems, Inc.
In the past few years, QNAP NAS devices have been the target of malicious actors. In 2019, researchers at Intezer detected the malicious software known as QNAPCrypt.
"QNAP is a well-known vendor for selling NAS servers, which the malware was intended to infect and encrypt the containing files for ransom,” researchers at Intezer said. “NAS servers normally store large amounts of important data and files, which make them a valuable target for attackers and especially a viable target for ransomware campaigns.”
In 2014, researchers at FireEye observed cyberattackers attempting to exploit the BASH remote code injection vulnerability against QNAP NAS devices.
"These attacks result in the hackers having a root level remote shell, gaining full access to the contents of the NAS,” FireEye researchers said. “NAS systems are used by enterprises to store large volumes of files and house databases, as well as by consumers for personal storage. This makes NAS an attractive target for attackers given the broad types of data they handle. In this case, the attackers can gain full access the NAS contents as well as execute other commands.”
Cybersecurity Best Practices
The deletion of enormous data in WD My Book Live and My Book Live Duo devices is a lesson learned for many users.
Network-attached storage (NAS) devices, including WD My Book Live and My Book Live Duo devices and QNAP devices are becoming the target of cyberattackers due to the wealth of data that these devices hold.
It is important to practice the time-honored 3-2-1 backup rule. This rule states that your organization needs to have 3 copies of critical data (one production data and 2 backup copies), with two copies in different media, and one copy kept offsite for disaster recovery.
Steve E. Driz, I.S.P., ITCP