According to WD, malicious malware is forcing the drives to be factory reset and all data is lost.
Imagine waking up one day to find that your cloud-connected external backup disc has lost all data and has been factory reset. Unfortunately, that’s exactly what occurred to an unknown number of WD My Book Live customers, whose drives were wiped clean after being infected with malicious software. Because the danger is still ongoing, WD advises owners to disconnect their discs from the internet while the company examines the situation.
Following allegations of massive data wipes, WD My Book Live customers are urgently recommended to unplug their discs from the internet. The afflicted devices appear to be consumer-oriented NAS versions, My Book Live and My Book Live Duo, which were reportedly infiltrated by malicious software and remotely prompted to conduct a factory reset.
As ArsTechnica notes, user complaints started pouring in on the WD’s support forum, where some customers report being unable to access their WD Live accounts once the drive had been wiped clean. So far, none have managed to recover their lost data. One user also posted a log that showed a remote factory reset had taken place without their permission.
Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 MyBookLive shutdown: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive _: pkg: wd-nas
Jun 23 16:02:30 MyBookLive _: pkg: networking-general
Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 MyBookLive _: pkg: date-time
Jun 23 16:02:31 MyBookLive _: pkg: alerts
Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive
Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api
Although offline backups is one of the recommended strategies for keeping data safe, most users tend to buy these types of cloud-connected drives to store, backup and access their files across devices. Another user reported being unable to access their files via the iPhone app.
Tried to access some files via the iPhone app but got an error message saying “unable to connect”. Assumed it was just a Wi-Fi/network issue but when I tried to access the drive from my PC using a shortcut everything was gone except for (empty) default Public folders: Shared Music, Shared Pictures, Shared Videos and Software.
The time stamps on those folders say they were created at 00:16 (UK time) this morning.
There is also a .tickle file created at 00:17.
I can’t log into the UI on the device as it says my password is invalid.
The company says it is actively investigating the incident and found no indications of a breach or compromise of its cloud services or systems. “We have determined that some My Book Live devices have been compromised by a threat actor. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live device received its final firmware update in 2015.”
Four years after it was released in 2011, WD discontinued support for the My Book Live/Live Duo. It’s conceivable that the ‘threat actor’ took use of a vulnerability that is still unpatched today. Despite the fact that they were discontinued in 2015, the drives are still available for purchase online. Users searching for this sort of external storage generally anticipate the hardware to fail first; but, when it comes to cloud-connected devices, hacked software may be as harmful.