More on the MyBook Attack - ThreatWire
Added 2021-06-29 17:42:34 +0000 UTCBy Shannon Morse, ThreatWire
A wise hacker once said on Twitter-- if it’s connected to the internet, then it’s not a backup. If you own a Western Digital My Book Live, disconnect it from the internet now. These devices are being remotely factory reset and files are being completely wiped from these attached storage devices. The WD My Book Live is a physical device that can chill on a desk since it’s so small, but it can be used as a network attached storage device so you can access files or manage them remotely via it’s Ethernet connection. This works as well if they’re behind a secure network, so consumers love ‘em for their ease of use.
A few days ago, users found they couldn’t access their WD My Books anymore - the web dashboard for the device would say “invalid password” and all of the files and data were gone. According to Bleeping Computer, one owner stated it worked fine for years, but their 2 terabytes of data was all gone, showing nothing but the empty directories.
Owners found that the device had received a remote comment to factory reset. This is called My Book Live factoryRestore.sh, and the script began on June 23, continuing through the night.
In response, Western Digital posted an advisory stating these devices are being compromised through exploitation of a remote command execution vulnerability which triggers the factory reset to erase all the data. Since these devices haven’t received any updates since 2015, this seems likely. It doesn’t seem financially motivated though, since no one has received a ransomware threat. WD stated logs show the devices were connected to from IP addresses in all sorts of countries, and they suspect the devices were directly connected through port forwarding or direct connection, including UPnP. They also noticed a trojan file was installed on some of these. WD didn’t find evidence of their own servers or services being compromised.
A remote code execution vulnerability does exist for these devices, listed as CVE-2018-18472. This was discovered AFTER the 2015 firmware update, so it’s possible an attacker scanned for open ports, found these devices, and decided to factory reset them. So do what Western Digital says and disconnect these devices immediately while the investigation is underway. While some users have reported successful recoveries using file recovery software, that’s not always the case so continue using these over a network connection at your own risk.
Who’s to blame for this data loss? Western Digital, who likely had an unpatched RCE vulnerability? Or the users, who may have been connecting these straight to the interwebs. The devices were EOL but still work, so receiving updates after that time wouldn’t be expected. Many of these users lost years and years of data. I personally back up three-fold. To a cloud option, to a local NAS, and to an airgapped backup drive stored in a safe. That may be overkill but it also offers peace of mind in the event that something happens.
https://community.wd.com/t/help-all-data-in-mybook-live-gone-and-owner-password-unknown/268111/54
https://threatpost.com/my-book-live-wiped-rce-attacks/167270/
https://www.zdnet.com/article/own-a-wd-my-book-disconnect-it-from-the-internet-right-now/
