Got a Western Digital My book?

Topic

New Reply

Dan Goodwin on Twitter says: Western Digital is advising customers to disconnect their My Book storage devices while the company investigates the mass
[See the full post at: Got a Western Digital My book?]

Susan Bradley Patch Lady/Prudent patcher

4 users thanked author for this post.

rc primak, HiFlyer, lmacri, ve2mrx

Reply | Quote

Replies

I have WD My Passport that aint the same?

Reply | Quote

Not the same.  MyBook is a style of WD that allows remote access to the device itself through a web interface – do you remember Windows Home server?  It would allow you to view files remotely . Looks like this – like a book. My passport is just an external hard drive.

Susan Bradley Patch Lady/Prudent patcher

4 users thanked author for this post.

jburk07, rc primak, Cartoonist Aaron, HiFlyer

Reply | Quote

I believe there is a difference between the MyBook and the MyBook Live.  The problem appears to only apply to the MyBook Live.

6 users thanked author for this post.

jburk07, Noel Carboni, wdburt1, Norio, rc primak, HiFlyer

Reply | Quote

I have many Western Digital MyBook NOT Live models.

No remote interface and no loss of data so far here.

In fact, I reformatted each of these drives when I first powered them up. Why wouldn’t I do so?

-Noel

1 user thanked author for this post.

wdburt1

Reply | Quote

I have an external, independently housed and powered, usb 3.0 connected My Book Studio 3 TB WD backup hard drive (no networking); and I also deleted all the partitions except the UEFI 100 MB partition when I set it up, creating and formatting a single additional partition to occupy the rest of the 3 TB. Windows 7 Home Premium x64 sp1 found and downloaded and installed whatever drivers it required when I started using it. When I first got it and removed it from the packaging and plugged it in and examined its contents, it appeared to be set up for Apple, which is why I re-partitioned it. It has worked just fine for years and years. My only complaint is that it “goes to sleep” when not accessed for some time; and you have to access it and “wake it up” before doing a normal Windows shut down or Windows will log off but not shut down, waiting for the My Book Studio to respond, which it apparently never does.

 

Reply | Quote

This seems to be My Book Live specifically, an internet connected storage product. Not relevant to the My Book models that are just local NTFS mass storage.

5 users thanked author for this post.

Noel Carboni, wdburt1, Norio, rc primak, HiFlyer

Reply | Quote

Also alerted by @cyberSAR here: WD My Book NAS Owners Heads Up!

And the BleepingComputer link there has now added:

Update 5:45 PM EST: Western Digital told BleepingComputer that they are actively investigating the attacks but do not believe it was a compromise of their servers.

They believe that attacks were conducted after some of the My Book owners had their accounts compromised.

“Western Digital has determined that some My Book Live devices are being compromised by malicious software. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live device received its final firmware update in 2015. We understand that our customers’ data is very important. At this time, we recommend you disconnect your My Book Live from the Internet to protect your data on the device. We are actively investigating and we will provide updates to this thread when they are available.” – Western Digital

However, their statement doesnt explain how so many account were breached at approximately the same time.

BleepingComputer has sent further questions regarding the attacks to Western Digital.

WD My Book NAS devices are being remotely wiped clean worldwide

1 user thanked author for this post.

rc primak

Reply | Quote

Not sure what’s going on just yet, but one of my clients has one and they use the My Cloud to access their drive remotely. When I called to tell them of the issue when I read of it,  they were at their bank because they were having issues today accessing their account online. Not sure it’s related, but had them unplug the device from the network. At this time it appears they haven’t lost any data.

I told them 3 years ago this wasn’t the best way way to go with remote access but what do I know???

Reply | Quote

A script has been run remotely on the WD drives :

It is very scary that someone can do factory restore the drive without any permission granted from the end user…
I have found this in user.log of this drive today:
Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 MyBookLive shutdown[24582]: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive _: pkg: wd-nas
Jun 23 16:02:30 MyBookLive _: pkg: networking-general
Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 MyBookLive _: pkg: date-time
Jun 23 16:02:31 MyBookLive _: pkg: alerts
Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive
Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api
I believe this is the culprit of why this happens…No one was even home to use this drive at this time…
P.S. You can use support->create and save system report to get all the logs. Please check yours and see what happened.

https://community.wd.com/t/help-all-data-in-mybook-live-gone-and-owner-password-unknown/268111/12

1 user thanked author for this post.

rc primak

Reply | Quote

There is an update to WD response :

Last Updated: June 25, 2021

Description
Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability. In some cases, the attackers have triggered a factory reset that appears to erase all data on the device.

We are reviewing log files which we have received from affected customers to further characterize the attack and the mechanism of access. The log files we have reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries. This indicates that the affected devices were directly accessible from the Internet, either through direct connection or through port forwarding that was enabled either manually or automatically via UPnP.

Additionally, the log files show that on some devices, the attackers installed a trojan with a file named “.nttpd,1-ppc-be-t1-z”, which is a Linux ELF binary compiled for the PowerPC architecture used by the My Book Live and Live Duo. A sample of this trojan has been captured for further analysis and it has been uploaded to VirusTotal.

Our investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised. As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning.

We understand that our customers’ data is very important. We do not yet understand why the attacker triggered the factory reset; however, we have obtained a sample of an affected device and are investigating further. Additionally, some customers have reported that data recovery tools may be able to recover data from affected devices, and we are currently investigating the effectiveness of these tools.

The My Book Live series was introduced to the market in 2010 and these devices received their final firmware update in 2015….

1 user thanked author for this post.

b

Reply | Quote

Maybe someone figured out how to mass re-roof their superb shingled drives, the ones that drove a mass exodus to Seagate.  Could be a lot of unhappy NAS (why use one of those things?) users soon.

We’ll see.

Reply | Quote

“Got a Western Digital My book?” -Susan Bradley

Yes or maybe yes, I have a stack of them with the covers removed and well over 5 years old. Low internet useage I just get drivers for a number of boxes.

” Western Digital is advising customers to disconnect their My Book storage”

Alex5723 June 25, 2021 at 12:42 am

“A script has been run remotely on the WD drives”

I know that correlation doesn’t equal causation. I and a junk Western Digital Black Caviar 10 years old, under 500GB, a real dumpster special but the free space suddenly went down from 50% to 11% While using it on local Lan as a shared drive for test backups. The box is a no-name old Chinese made rack style which used to control a raid 5 set with Intel Core 2 board and Window 7 Ultimate x64. The raid HDD’s are out and waiting for refurbishment or life extension with disk tools including low level format tools.

The best guess is that the low space is a fluke but who knows. My partner may have increase the page file, restore point amount and hibernation. I am running a full scan on it now. Done. This windows defender does not show a virus. Will run other tools later.

 

Reply | Quote

I take these key lessons from this incident:

Re. WD MyBook Live apparent firmware hack:
https://community.wd.com/t/help-all-data-in-mybook-live-gone-and-owner-password-unknown/268111/192

TomTheOne (#191/200)
Learn:

A Disk RAID is not a backup
Do not trust any device if the firmware has never been updated or has not updated since years.
Don‘t establish cloud links. Never.
Make sure you disable UPnP. Always.
Protect your network and devices adequately.

I would add:

Always make sure you have multiple backups, at least one of which is NOT connected to the device or the Internet at any given time.

Consider replacing the manufacturer’s firmware with something which you can update frequently, and is currently supported. This is usually some form of dd-wrt, as discussed and referenced in the WD Community Thread.

This whole episode should be a shot across the bow fo anyone running any software, OS version or firmware in any device, which is not currently supported to the extent at least of getting security updates. I know a lot of folks who still run obsolete and out of support firmware, software and OSes, including Windows Home Server. (WHS does however have an active support community, which I suppose might diminish the potential impact of any new threats or vulnerabilities.)

Personally, I have NO cloud-connected storage devices except the company-issued Comcast DVR and my TiVo (Bolt OTA) DVR. And three of each for offline backup drives.

I hope maybe something in this post will help someone prevent such a catastrophe as has happened to so many unfortunate WD my Book Live owners. If I have made any errors or false assumptions here, I’m sure our AskWoody Community will be quick to correct me.

-- rc primak

Reply | Quote

Notes:

Don’t establish cloud links. Never.

I’m not so sure this is necessary to this extreme, as long as you have local backups which are fully protected from the Internet.

Protect your network and devices adequately. 

Impossible with older firmware or many IoT devices.

-- rc primak

1 user thanked author for this post.

blueboy714

Reply | Quote

You simply cannot have 100% control once you have connected your devices to the world. Unless you have written ALL the software yourself.

You don’t really have ultimate control even if not connected. Imagine a time bomb – intentional or otherwise – or even just hardware failure (e.g. “I plugged it in but nothing happened” or “I plugged it in but can’t access any data”). It’s all a game of probabilities. You want to sway the odds in your favor.

Yes, multiple backups of different sorts is a good idea.

Remember when we could back critical data up to DVDs or BluRays? How did that fall by the wayside without an alternative? Heck, I don’t even have an optical drive in my latest system. They’ve simply fallen out of favor. Things that allow the end user to retain control have fallen out of favor.

-Noel

1 user thanked author for this post.

wdburt1

Reply | Quote

I have 3 Western Digital My Passport external hard drives.  I’m not sure if they are the same as WD My Book or My Book Live that seem to having problems right now or could have similar issues later. My WD My Passport external HDs are not having problems – probably because they aren’t storing data on the Cloud (which I avoid like the plague).

Custom Build - Intel i5 9400 5 Core CPU & ASUS TUF Z390 Plus Motherboard
Edition Windows 10 Home
Version 22H2

Dell Laptop - Inspiron 15 11th Generation Intel(R) Core(TM) i5-1135G7 Processor
Edition Windows 11 Home
Version 23H2

Reply | Quote

Those you list are not connected to the Internet. They are not getting firmware updates from WD over the Internet. So no, they are not the affected MyBook types.

-- rc primak

Reply | Quote

I have one, but it’s “only” on my home network. My home network, though, is obviously connected to the web, so I pulled the plug on the WD just in case.

Before I did, I checked the WD. Everything was still there, but better safe than sorry.

I also have two Synology NAS drives, but like the WD, they’re not accessible from outside my router.

Synology seems much, much more serious about protecting their customers than WD. No update since 2015 is inexcusable.

Thanks to Susan for the heads up.

Reply | Quote

If your Data is that Valuable the an LTO Tape Drive is not that expensive relative to never being able to recover that Valuable data! And make copies in Triplicate!

Reply | Quote

An external USB hard disk is the cheapest (and best) way to backup your data safely. Store the disk in a fireproof safe after use.

cheers, Paul

Reply | Quote

The WD My Book Live flaw exploited this week was at least three years old:

Examine the CVE attached to this flaw and you’ll notice it was issued in 2018. The NVD’s advisory credits VPN reviewer Wizcase.com with reporting the bug to Western Digital three years ago, back in June 2018.

In some ways, it’s remarkable that it took this long for vulnerable MyBook devices to be attacked: The 2018 Wizcase writeup on the flaw includes proof-of-concept code that lets anyone run commands on the devices as the all-powerful “root” user.

Western Digital’s response at the time was that the affected devices were no longer supported and that customers should avoid connecting them to the Internet. That response also suggested this bug has been present in its devices for at least a decade.
…
These products have been discontinued since 2014 …
…
If you’d still like to keep your MyBook connected to your local network (at least until you can find a suitable backup for your backups), please make double sure remote access is not enabled in your device settings (see screenshot above).

MyBook Users Urged to Unplug Devices from Internet [Krebs on Security]

2 users thanked author for this post.

Bob1515, Alex5723

Reply | Quote

Noel Carboni wrote:

In fact, I reformatted each of these drives when I first powered them up. Why wouldn’t I do so?

I did the same with my 3tb, 5tb, 8tb WD drives.
I always format new drives which usually come formatted with FAT32.

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Not directly related to this subject, but applicable in the general realm of “protecting valuable data” and intended to get thoughts flowing…

How many have implemented backup schemes designed to protect against data loss from e.g., ransomware, malware, etc.?

Imagine, for example, having a system on the LAN that can reach out and connect to other systems via Windows Networking, but which does not itself share data. That system is not normally used for anything interactive but runs autonomous jobs to pull data from the other systems whenever it can and backs it up to big internal or even external USB MyBook (NOT Live) drives.

In my case I have accomplished this with a small, low power Win 7 system that is not used for interactive operations, only serves a few local purposes, and is armed to the teeth with uncommon security measures.

-Noel

Reply | Quote

using percentage firewall rules and hosting malware as security sounds about right these days aka ‘honeypot devices’ to protect from intruders. Fight fire with fire?

Reply | Quote

You may be right there although it will take resources to implement such a strategy.  I am not affected by the current WD issue but am well aware that “there, but for the grace of God, go I”.

You have to ask yourself about the failure modes of the options you have chosen.  What will fail, how will it fail, when will it fail, and what can I do to recover the situation?

Will your average user be willing to spend the money upfront, and then provide the maintenance, that such resilience requires?

 

Reply | Quote

I’m always pleased to show my ignorance.
🙂

The WD statement quoted above says the following:
“The log files we have reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries. This indicates that the affected devices were directly accessible from the Internet, either through direct connection or through port forwarding that was enabled either manually or automatically via UPnP.”

As I mentioned in my posting above, my WD My Book Live (from which I’ve pulled the electricity plug), had no internet connection;it was behind my router/firewall.

What I don’t understand from the WD post is “…through port forwarding that was enabled either manually or automatically via UPnP.”

How, please, can I find out whether UPnP is active in my “system”, which includes a router, a non-managed switch, three computers, three printers, and two Synology NAS devices, as well several laptops, cell phones, and tablets connected to my router via WiFi?

Thank you.

Reply | Quote

vandermeer wrote:

How, please, can I find out whether UPnP is active in my “system”

It may be enabled by default on your router. This is the only place you really need to worry about it.

What is your router model?

cheers, Paul

Reply | Quote

vandermeer wrote:

had no internet connection;it was behind my router/firewall.

All hacked/wiped WD live drives where behind router/firewall.
It is enough that the router in connected to the Internet in order to access the drives.

Reply | Quote

Hackers exploited 0-day, not 2018 bug, to mass-wipe My Book Live devices

Western Digital removed code that would have prevented the wiping of petabytes of data

Last week’s mass-wiping of Western Digital My Book Live storage devices involved the exploitation of not just one vulnerability but also a second critical security bug that allowed hackers to remotely perform a factory reset without a password, an investigation shows.

The vulnerability is remarkable because it made it trivial to wipe what is likely petabytes of user data. More notable still was that, according to the vulnerable code itself, a Western Digital developer actively removed code that required a valid user password before allowing factory resets to proceed…

1 user thanked author for this post.

b

Reply | Quote

Just got an email on 6/29/2021 @ 10:32 pm CDT from WD telling me to disconnect my My Book Live Device. Seems to be a little late to be sending this to a customer, when this discussion was started on June 24, 2021. Mine is a non-functioning device that hasn’t been used in about 3-4 years.

Reply | Quote

Paul T wrote:

vandermeer wrote:

How, please, can I find out whether UPnP is active in my “system”

It may be enabled by default on your router. This is the only place you really need to worry about it.

What is your router model?

cheers, Paul

Thank you for your reply.

I’m in Berlin and have a “Speedport Smart 3” router, which is a product of the “Deutsche Telekom”, the former government communications monopoly and still the country’s biggest provider – as far as I know.

Anyway, a bit of reading just now just revealed that my router – and all the routers in the “Speedport” series – don’t even have the UPnP function. It seems that in its “eternal maternal” role as Germany’s communications babysitter, the ex-monopolist decided to distribute only idiot-proof products.

Obviously lots of people don’t want to be “babysat”, so they opt for “Fritzboxes” from the German company AVM or go for Netgear or whatever.

People like me, though, who need all the protection we can get in the contemporary internet sharktank, are quite content that someone has closed at least one door whose potential for danger has, at least apparently in this case, been exposed for all to see – and (for the unfortunate) to feel.

Having written all this, my MyBook Live still has its plugs pulled and will remain de-electrified till the beanbrains at WD reveal their solution to the crisis.

I must admit that having found out about my router’s lack of UPnP makes me feel a bit better about leaving my two Synology drives working on my LAN.

Just for the record, none of my NAS devices was ever intentionally opened to the Internet. I only use them as a convenient backup solution on my little home LAN.

Apparently, though, similar scenarios were enough to cause lots of poor folks heartache due to WD’s lack of professionalism.

Reply | Quote

https://www.westerndigital.com/support/productsecurity/wdc-21008-recommended-security-measures-wd-mybooklive-wd-mybookliveduo

My Book Live WDBACG0030HCH
My Book Live WDBACG0020HCH
My Book Live WDBACG0010HCH
My Book Live Duo WDBVHT0080JCH
My Book Live Duo WDBVHT0060JCH
My Book Live Duo WDBVHT0040JCH

Advisory Summary

Immediately disconnect your My Book Live and My Book Live Duo from the Internet to protect your data from ongoing attacks.

For customers who have lost data as a result of these attacks, Western Digital will provide data recovery services. My Book Live users will also be offered a trade-in program to upgrade to a supported My Cloud device. Both programs will be available beginning in July, and details on how to take advantage of these programs will be made available in a separate announcement.

1 user thanked author for this post.

b

Reply | Quote

cyberSAR wrote:

Immediately disconnect your My Book Live and My Book Live Duo from the Internet

Pity they don’t tell you how to do this!

cheers, Paul

Reply | Quote