IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Western Digital NAS drive owners told to unplug their devices after malware attacks

Company confirms spate of factory resets were triggered remotely

Western Digital has confirmed that its My Book Live network-attached storage devices are being targeted with malicious software capable of wiping terabytes of data.

The statement follows complaints from multiple users who said their NAS drives had been mysteriously wiped overnight.

Upon further investigation, users revealed their My Book Live NAS drives had received a remote command to initiate a factory reset. It's believed commands started going out at around 3 pm PDT (11 pm BST) on Wednesday, with one user detailing how they “tried to access some files via the iPhone app but got an error message saying ‘unable to connect’”.

At first, the user “assumed it was just a Wi-Fi/network issue”.

“But when I tried to access the drive from my PC using a shortcut everything was gone except for (empty) default Public folders: Shared Music, Shared Pictures, Shared Videos and Software. The time stamps on those folders say they were created at 00:16 (UK time) this morning. There is also a .tickle file created at 00:17. I can’t log into the UI on the device as it says my password is invalid,” they added.

Another My Book Live user said that they found the following script in the user.log of their drive:

“Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:

Jun 23 15:14:05 MyBookLive shutdown[24582]: shutting down for system reboot

Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start

Jun 23 16:02:29 MyBookLive _: pkg: wd-nas

Jun 23 16:02:30 MyBookLive _: pkg: networking-general

Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav

Jun 23 16:02:31 MyBookLive _: pkg: date-time

Jun 23 16:02:31 MyBookLive _: pkg: alerts

Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive

Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api”

Following the complaints, Western Digital published a post on the WD Community forum confirming that “some My Book Live devices are being compromised by malicious software” and recommended that users disconnect their devices as soon as possible.

Related Resource

The secure cloud configuration imperative

The central role of cloud security posture management

The secure cloud configuration imperativeFree download

“In some cases, this compromise has led to a factory reset that appears to erase all data on the device," the company stated. "The My Book Live device received its final firmware update in 2015. We understand that our customers’ data is very important. At this time, we recommend you disconnect your My Book Live from the Internet to protect your data on the device. We are actively investigating and we will provide updates to this thread when they are available."

However, Western Digital didn’t elaborate on who might be responsible for distributing the software, or whether the company itself has been compromised by a cyber attack.

IT Pro has contacted the company and will update this story when more information becomes available.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Recommended

2022 IBM's Security X-Force cloud threat landscape report
Whitepaper

2022 IBM's Security X-Force cloud threat landscape report

22 Nov 2022
2022 Magic quadrant for Security Information and Event Management (SIEM)
Whitepaper

2022 Magic quadrant for Security Information and Event Management (SIEM)

22 Nov 2022
Seven realities facing SMBs as they enter a future of increased cyber threats
Whitepaper

Seven realities facing SMBs as they enter a future of increased cyber threats

21 Nov 2022
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation
cyber crime

Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation

25 Nov 2022