Western Digital My Book Live NAS owners worldwide found that their devices have been mysteriously factory reset and all of their files deleted, Bleeping Computer reports.
WD My Book is a network-attached storage device that looks like a small vertical book that you can stand on your desk, and the app allows owners to access files and manage their devices remotely, even if the NAS is behind a firewall or router.
WD My Book Live and WD My Book Live DUO owners worldwide suddenly found that all of their files were mysteriously deleted, and they could no longer log into the device via a browser or an app. When they attempted to log in via the Web dashboard, the device said they had an "Invalid password," according to Bleeping Computer. Owners reported that the MyBook logs showed that the devices received a remote command to perform a factory reset.
Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability. It is believed that a threat actor performed a mass scan of the Internet for vulnerable devices and used this vulnerability to issue the factory-reset command.
Western Digital is reviewing log files they have received from affected customers to further characterize the attack and the mechanism access. Western Digital reports the log files they reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries, which indicates that the affected devices were directly accessible from the Internet, either through direct connection or through port forwarding that was enabled either manually or automatically via UPnP.
Additionally, the log files show that on some devices, the attackers installed a trojan with a file named “.nttpd,1-ppc-be-t1-z”, which is a Linux ELF binary compiled for the PowerPC architecture used by the My Book Live and Live Duo. A sample of this trojan has been captured for further analysis and it has been uploaded to VirusTotal.
Western Digital's investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised, the company says. As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning.
Alec Alvarado, Threat Intelligence Team Lead at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, says, "From an organizational perspective, issuing patches for publicly disclosed vulnerabilities and ensuring user awareness that a vulnerability exists are all steps in the right direction. From a user's perspective having backups of critical data in more than one secured place can be a fail-safe for similar situations."
"For the most part, we see misconfigured NAS drives being the culprit for data exposed inadvertently to the internet. However, exploitation of vulnerabilities in NAS drives is still relatively common and appears to be actively targeted by various threat actors," Alvarado explains. "For example, the thought that ransomware actors are focused only on "big game" seems to be wishful thinking as RCE vulnerabilities in QNAP NAS devices have been a recent target of ransomware. The Qlocker ransomware group reportedly made 350,000 USD in a month's worth of extortion in May by exploiting RCE vulnerabilities in QNAP devices. If threat actors can find a use for a vulnerability, especially one with an existing publicly available POC, it is safe to assume they will exploit it."
So, what would threat actors hope to get out of this? The information regarding the incident gives little to indicate the intent of the threat actors. There have been no ransom notes, from what has been reported, so extortion doesn't appear to currently be a motive. Perhaps a threat actor just wanted to see if the destructive act would work, almost in a "some just want to see the world burn" fashion. As more information regarding the attack is revealed, the intent of the actor should become more apparent."
The company is recommending users disconnect their My Book Live and My Book Live Duo from the Internet to protect their data on the device. Since then, a remote code execution vulnerability tracked as CVE-2018-18472 was disclosed along with a public proof-of-concept exploit.
Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, says, "In this day and age, consumers have to be just as diligent as enterprise businesses when it comes to cyber security. Enterprise security teams understand that vulnerabilities come in all shapes and sizes. In the case of the Western Digital My Book Live devices, threat actors took advantage of a daisy chained set of circumstances to wipe the data from exposed hard drives. Consumers should have known to keep the drive firmware patched, and to only connect the drives to the internet when necessary. But, where does the responsibility fall? On the consumer or on Western Digital? There isn’t a clear cut answer in this case."