Own an old WD My Book Live? Disconnect it from the internet right now

Active attacks are indiscriminately wiping user devices.

Western Digital is urging legacy My Book owners to unplug their devices from the internet without delay following a series of remote attacks.

In an advisory published June 24, the hardware vendor said that My Book Live and My Book Live Duo network-attached storage (NAS) devices are being remotely wiped through factory resets, leaving users at risk of losing all of their stored data. 

"Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability," the company said. "In some cases, the attackers have triggered a factory reset that appears to erase all data on the device."

It appears that the vulnerability being exploited is CVE-2018-18472, a root remote command execution (RCE) bug that has earned a CVSS severity rating of 9.8. 

With attackers able to remotely operate as root, they can trigger resets and wipe all of the content on these portable storage devices, which made their debut in 2010 and received their final firmware update in 2015. When products become end-of-life, they are generally not entitled to new security updates.  

As first reported by Bleeping Computer, forum users began querying the sudden loss of their data on June 24 via both the WD forum and Reddit. One forum user deemed themselves "totally screwed" due to the deletion of their information. 

"I am willing to part with my life savings to get my doctoral thesis data, newborn pictures of my children and dead relatives, travel blogs I wrote and never published and all my last 7 months of contract work," another user commented. "I am so scared to even think about what this is going to do for my career having lost all my project data and documentation.."

At the time of writing, forum users are trading potential recovery methods and ideas with varying degrees of success. 

"We are reviewing log files which we have received from affected customers to further characterize the attack and the mechanism of access," Western Digital says. 

The log files, so far, show that My Book Live devices are being struck worldwide through direct online connections or port forwarding. WizCase has previously published proof-of-concept (PoC) code for the vulnerability. 

In some cases, the attackers are also installing a Trojan, of which a sample has been uploaded to VirusTotal

My Book Live devices are thought to be the only products involved in this widespread attack. WD cloud services, firmware update systems, and customer information is not believed to have been compromised. 

Western Digital is urging customers to pull their devices from the internet as quickly as possible. 

"We understand that our customers' data is very important," Western Digital says. "We do not yet understand why the attacker triggered the factory reset; however, we have obtained a sample of an affected device and are investigating further."

The company is also investigating potential recovery options for impacted customers. 

ZDNet has reached out to Western Digital with additional queries and we will update when we hear back. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0