WD My Book Live NAS contents are suddenly deleted worldwide

[German]Anyone with Western Digital My Book Live NAS devices among the blog readership? There is a disturbing development that owners of the devices should keep an eye on. Right now, owners of My Book Live NAS units around the world are finding that data is suddenly being completely deleted. The cause is unknown, it seems that an unknown vulnerability within the outdates firmware from 2015 is exploited by someone to cause as much damage as possible.

The issue has come to my attention in two places since that night. Here's a quicker overview of what's known so far.

A message in the WS-Forum

There is a post in Western Digital's community since June 24, 2021 that describes the entire disaster. Here is the test (in case the post is ever deleted).

Help! All data in mybook live gone and owner password unknown

I have a WD mybook live connected to my home LAN and worked fine for years. I have just found that somehow all the data on it is gone today, while the directories seems there but empty. Previously the 2T volume was almost full but now it shows full capacity.

The even strange thing is when I try to log into the control UI for diagnosis I was-only able to get to this landing page with an input box for "owner password". I have tried the default password "admin" and also what I could set for it with no luck. There seems to be no change to retrieve or reset password on this landing page either.

Could anyone help to find what was going on to this drive? I am stuck at emptied data on it now…Thanks in dadvance!

It happened to the owner of a WD My Book Live that suddenly all files on the NAS were deleted. But what's even more problematic is that he can no longer log in to the user interface to manage the NAS unit, because the password for the owner of the device is no longer accepted. He posted the following screenshot:

WD My Book Live owner password, Source: WD Community

In the log files, the affected person has found the following entries, which prove a factory restore via shell script.

Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 MyBookLive shutdown[24582]: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive _: pkg: wd-nas
Jun 23 16:02:30 MyBookLive _: pkg: networking-general
Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 MyBookLive _: pkg: date-time
Jun 23 16:02:31 MyBookLive _: pkg: alerts
Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive
Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api

The person affected writes that no one was at home at the time. In the thread, other users confirm the problem, that something was deleted remotely and that similar log entries exist. It looks like an unknown third party has deleted the content and locked the user access. In the meantime, there are more calls for help on the web (reddit.com, WD forum).

What is affected?

It seems to hit the WD My Book Live, a network storage (NAS) device whose name is probably derived from its case shape, which looks like a book (see the image above). Importantly, device owners can remotely access their files and manage their devices using the WD My Book Live app, even if the NAS is behind a firewall or router. This opens up an attack point for remote stories that happen via the Internet. This is because ports on the router or firewall need to be opened for this feature to work – any security hole can be exploited.

More articles on this topic

Then I found an article of Bleeping Computer as well as a contribution of Arstechnica, which take up the whole incident. Ultimately, the articles summarize what I outlined above. From Western Digital, I believe there is an email to customers that Arstechnica and Bleeping Computer have – but it can also be viewed on the WD forum. Here is the text:

Western Digital has determined that some My Book Live devices are being compromised by malicious software. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live device received its final firmware update in 2015. We understand that our customers' data is very important. At this time, we recommend you disconnect your My Book Live from the Internet to protect your data on the device. We are actively investigating and we will provide updates to this thread when they are available.

investigates the case where devices may have been compromised via My Book Live, in some cases causing a factory reset to be performed and content to be deleted. It is stated that My Book Live devices last received firmware updates in 2015. The manufacturer's only advice: disconnect the devices from the Internet to protect stored data. WD is currently investigating the case and will publish details as soon as more information is available.

Addendum: There is now this WD post, pointing to CVE-2018-18472. This could be the case, since there have been no updates since 2015.