[BreachExchange] My Book Live Users Wake Up to Wiped Devices, Active RCE Attacks

Fri Jun 25 12:02:53 EDT 2021

https://threatpost.com/my-book-live-wiped-rce-attacks/167270/

If you haven’t already, stop reading and go yank your My Book Live storage
device offline, lest you join the ranks of those who woke up on Thursday to
find that years of data had been wiped clean on devices around the world.

Western Digital’s My Book storage device is designed for consumers and
businesses. It typically plugs into computers via USB. The specific model
involved in the data-demolition incident is known as My Book Live: a model
that uses an Ethernet cable to connect to a local network. Users can
remotely access files and make configuration changes through Western
Digital’s cloud infrastructure.

Western Digital is blaming the remote wipes – which have happened even if
the network-attached storage (NAS) devices are behind a firewall or router
– on the exploitation of a remote command-execution (RCE) vulnerability.

The compromise delivers the data slaughter in the form of a factory reset
that “appears to erase all data on the device,” according to Western
Digital’s advisory.

It was BleepingComputer’s Lawrence Abrams that first came across the issue
being reported on the Western Digital community forum. One user using the
handle “sunpeak” said that their folders all had an edit date of June 23
(Wednesday), around 3 p.m. PT/6 p.m. ET. Scores of other forum members
confirmed receiving the factory-reset messages, and confirmed the timing.

Sunpeak went on to describe how they discovered that 2T of data – an almost
full disk – went up in a puff of smoke, leaving the directories still there
but echoing, all emptied out.

“Previously the 2T volume was almost full but now it shows full capacity,”
sunpeak said, going on to describe how, upon trying to login to the control
user interface to diagnose the issue, they were only able to get to the
landing page shown below, which prompted them to input their “owner
password.”

The WD My Book landing page users saw after their devices were wiped.
Source: WD Community forum.

When sunpeak attempted to input the default password “admin,” it didn’t
work. Nor did the landing page offer the option of resetting or retrieving
the password.

The user wrote that it is “very scary” that a threat actor could perform a
factory reset on drives without permission granted by end users. Sunpeak
offered up these entries from their drive’s user.log:

Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 MyBookLive shutdown[24582]: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive _: pkg: wd-nas
Jun 23 16:02:30 MyBookLive _: pkg: networking-general
Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 MyBookLive _: pkg: date-time
Jun 23 16:02:31 MyBookLive _: pkg: alerts
Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive
Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api

“I believe this is the culprit of why this happens,” sunpeak wrote. “No one
was even home to use this drive at this time.”

Years of Data: Now Toast

Some of the wails of pain that arose from Western Digital users on the
forum:

I’m not going to lie, I have been in tears over this pretty much all day. I
started a new job 7 months ago and all my data/work was on here (yes, this
was not backed up as I only do back ups every 6 months or so and it’s been
busy :frowning: ). I can’t beleive [sic] this has happened, it doesn’t seem
real, but I will absoutely [sic] pursue every avenue I can to get them to
at least tell me what they’ve done so I can instruct professional data
recovery services (and then I will do all i can to hold them to account as
well. P***** off is an understatement). —Sammie101

All my data is gone too. Message in GUI says it was “Factory reset” today!
06/23. I am totally screwed without that data…years of it. —Marknj1

Dusty Devices, Old Firmware

Western Digital stopped supporting My Book Live in 2015. That was the date
of the last firmware update for its My Book Live and My Book Live Duo
devices, according to its advisory. The company gave the obligatory
“customers’ data is very important” message and said that it’s “actively
investigating the issue.” Western Digital promised to update its advisory
when it has more information.

Western Digital sent a statement to news outlets, including Ars Technica,
saying that the company has no indications that its cloud services or
systems were breached:

The incident is under active investigation from Western Digital. We do not
have any indications of a breach or compromise of Western Digital cloud
services or systems.

We have determined that some My Book Live devices have been compromised by
a threat actor. In some cases, this compromise has led to a factory reset
that appears to erase all data on the device. The My Book Live device
received its final firmware update in 2015.

At this time, we are recommending that customers disconnect their My Book
Live devices from the Internet to protect their data on the device.

We…will provide updates to this thread when they are available.

Threatpost has reached out to Western Digital for an update on the
investigation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210625/6dba5e0b/attachment.html>