Wd My Book Live Nas System

IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more than

Western Digital NAS bulldoze owners told to unplug their devices subsequently malware attacks

Company confirms spate of factory resets were triggered remotely

Western Digital has confirmed that its My Volume Alive network-fastened storage devices are being targeted with malicious software capable of wiping terabytes of data.

The statement follows complaints from multiple users who said their NAS drives had been mysteriously wiped overnight.

Upon further investigation, users revealed their My Book Alive NAS drives had received a remote control to initiate a factory reset. It's believed commands started going out at around iii pm PDT (11 pm BST) on Midweek, with one user detailing how they "tried to access some files via the iPhone app but got an error message saying 'unable to connect'".

At first, the user "assumed it was just a Wi-Fi/network upshot".

"Simply when I tried to access the bulldoze from my PC using a shortcut everything was gone except for (empty) default Public folders: Shared Music, Shared Pictures, Shared Videos and Software. The fourth dimension stamps on those folders say they were created at 00:16 (United kingdom of great britain and northern ireland time) this morning. There is also a .tickle file created at 00:17. I can't log into the UI on the device as it says my password is invalid," they added.

Another My Book Live user said that they found the following script in the user.log of their bulldoze:

"Jun 23 xv:14:05 MyBookLive factoryRestore.sh: begin script:

Jun 23 xv:xiv:05 MyBookLive shutdown[24582]: shutting downwards for organisation reboot

Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start

Jun 23 xvi:02:29 MyBookLive _: pkg: wd-nas

Jun 23 16:02:thirty MyBookLive _: pkg: networking-full general

Jun 23 sixteen:02:30 MyBookLive _: pkg: apache-php-webdav

Jun 23 sixteen:02:31 MyBookLive _: pkg: engagement-time

Jun 23 16:02:31 MyBookLive _: pkg: alerts

Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive

Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api"

Following the complaints, Western Digital published a post on the WD Community forum confirming that "some My Book Live devices are being compromised by malicious software" and recommended that users disconnect their devices as shortly as possible.

Related Resource

The secure deject configuration imperative

The cardinal role of cloud security posture management

Gratuitous download

"In some cases, this compromise has led to a mill reset that appears to erase all data on the device," the visitor stated. "The My Volume Live device received its last firmware update in 2015. Nosotros understand that our customers' data is very important. At this time, nosotros recommend y'all disconnect your My Volume Alive from the Net to protect your information on the device. We are actively investigating and we will provide updates to this thread when they are available."

All the same, Western Digital didn't elaborate on who might be responsible for distributing the software, or whether the company itself has been compromised by a cyber attack.

IT Pro has contacted the visitor and will update this story when more data becomes available.

Featured Resource

Big data for finance

How to leverage large information analytics and AI in the finance sector

Gratuitous Download