How to Recover Data From Remotely Wiped WD NAS My Book Devices?

Western Digital Confirmed Some My Book Live and My Book Live Duo Drives Were Attacked by System Exploit

Last week, multiple users have reported that whilst trying to access their WD My Book NAS drive, they were barred entry with an ‘invalid password’ and mobile applications have ceased connectivity. Upon further investigation, they then find that their system has been completely formatted.

Western Digital (WD) confirmed that some My Book Live and My Book Live Duo devices were compromised through the exploitation of a remote command execution vulnerability. A review of log files showed that the attackers directly connected to the affected devices from various IP addresses in different countries, which means that the devices are directly accessed or port forwarded from the Internet.

It is currently known that an attacker installed a Trojan in some devices, but WD has not yet figured out why the attacker had triggered to factory reset the drives, so further investigation is also needed.

Users are suggested to disconnect their WD My Book devices from the Internet immediately

WD suggests in its security advisory that unaffected My Book Live and My Book Live Duo users should disconnect and connect to the Internet to protect the data on the device.

The current generations of WD My Cloud, WD My Cloud Pro, WD My Cloud EX2, or WD My Cloud Sentinel Systems, which have far more recent firmware updates, are not affected. They also warned customers to "configure their firewall to prevent remote access to these devices, and to take measures to ensure that only trusted devices on the local network have access to the device."

Recovery is difficult but WD offers free data recovery service

The format was conducted on the system as a whole and all previous data was protected by password, which makes data recovery very difficult from a factory reset WD My Book Live. If data was lost because of a malware attack or accidental deletion on a WD device without password encryption, iBoysoft Data Recovery can recover lost files including videos, documents, photos, and others.

WD has promised affected users free data recovery services starting in early July. My Book Live customers will also be eligible for a trade-in program so they can upgrade to My Cloud devices.

People are saying that if WD didn't discontinue the WD Book Live Line, these flaws could have been solved and none of these would happen. For many hacked users, if their lost years' worth of data can not be recovered, the thought of buying another WD storage device is probably out of question. People also said My Cloud Live devices, the successor of My Book Live devices, have a different codebase that doesn't contain the two discussed flaws in the recent mass wiping.

Two vulnerabilities were exploited in the attack

Cases reported on a Western Digital support forum revealed this mass hack. Upon further investigation, two flaws have been found: CVE-2018-18472 and the newly discovered CVE-2021-35941(also called the zero-day).

The 2018 vulnerability was reported as a remote code execution flaw that "lets anyone run commands on the device as root." Although WD is aware of this security fault, it chose to do nothing because the devices were discontinued and "are no longer covered under their device software support lifecycle".

The zero-day is a flaw that is caused by a 2011 firmware update that commented out the code in a function to stop remote users from performing factory resets without authenticating their credentials first.

Theories were made that one hacker tried to exploit the 2018 vulnerability to create botnets and another cyber actor tried to kill the botnets.

Western Digital said there was no evidence that its cloud service, firmware update servers, or customer credentials were compromised.