Western Digital My Book NAS owners across the globe identified that their systems have been suspiciously formatted leaving all of their files deleted.
WD My Book is a network-attached storage device that looks similar to a small vertical book that you can stand on your desk. The WD My Book Live app lets users easily manage their devices remotely and access their files easily.
Today, the owners of WD My Book owners suddenly discovered that all of their files were covertly destroyed and the users could no longer be able to log in to the device through a browser or an app.
While the users tried to log in with the help of a web dashboard, the device stated that they had an Invalid password.
Meanwhile, a WD My Book owner on the Western Digital Community Forums reported that he has a WD My Book live connected to his home LAN and all these years it was working fine for him. However, yesterday he found that all his data deleted and his directories seem to be empty now. He further said that previously his 2T volume was almost full but now it displays that it doesn’t have any data and is at full capacity.
The WD My Book owner found a strange issue when he tried to log in to the control UI for diagnosis, he was just able to get to this landing page with an input box for the owner password. He further said that he tested the default password admin and he failed.
My Book devices issued a factory reset command
After the WD My Book owners affirmed that their devices were affected by the same vulnerability, the owners later reported, their MyBook logs showed that devices obtained a remote command to execute a factory reset starting at around 3 PM yesterday and throughout the night.
“I have found this in user.log of this drive today:
Jun 23 15:14:05 My BookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 My BookLive shutdown: shutting down for system reboot
Jun 23 16:02:26 My BookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 My BookLive _: pkg: wd-nas
Jun 23 16:02:30 My BookLive _: pkg: networking-general
Jun 23 16:02:30 My BookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 My BookLive _: pkg: date-time
Jun 23 16:02:31 My BookLive _: pkg: alerts
Jun 23 16:02:31 My BookLive logger: hostname=My BookLive
Jun 23 16:02:32 My BookLive _: pkg: admin-rest-api
I believe this is the culprit of why this happens…No one was even home to use this drive at this time…”
Generally, the QNAP devices which are connected to the web are easily exposed to attacks like the QLocker Ransomware. However, the Western Digital My Book devices are stored behind a firewall and communicate via the My Book Live cloud servers to offer remote access.
A few of the users have stated concerns that Western Digital’s servers were compromised so that a threat actor can push out a remote factory reset command to all the systems connected to the service.
It is quite unusual that no ransom notes or other threats were reported, which further suggests that the attack was merely intended to be destructive.
The data storage manufacturer additionally recommends that if you own a Western Digital My Book NAS device, disconnect it from the network till they further investigate the matter.
Western Digital said they believe the attacks were carried out after a few WD My Book owners got their accounts compromised.
Looking for more Security News, subscribe to our newsletter and get regular updates.