Help! All data in mybook live gone and owner password unknown

Same problem in Denmark! Just opened a ticket at WD. I had a complete backup :sweat: - but unplugged the device now. Waiting for WD resonse.

At this stage, are we sure that UPnP has been used by the hackers ?

Disabling it will prevent from another attack after recovering the data, if any ?

My 3TB MBL was also wiped it seems. Just the default empty folders visible until I disconnected it this evening. Over 800 movie files, 1000’s of audio tracks and photos. I bought a MyCloud last year to backup the photos thank goodness but everything else is gone. 3TB was 89% full at the last check. :frowning:

i only found out about the malware this afternoon and came straight home to check my device as i was unable to connect via the app. Sure enough it’s all gone. my wedding and honeymoon photos and videos, all of my business files and more - most of which wasn’t backed up anywhere else as it was backed up here.

UPnP could be an attack vector, especially if the WD network storage device was responding to external probes. You essentially need all devices inside your network to ignore everything that you didn’t explicitly request.

You can verify the strength and robustness of your firewall security. One classic set of tests can be found at https://www.grc.com/default.htm. Navigate to ShieldsUp and press the proceed button. Then run the UPnP exposure test and the all service ports test to verify that your modem/router/firewall set are keeping you safe.

I had UPnP off on both my WD device and my router. I also had remote off because I was concerned about security issues with this device a long time ago. I also have the NAT firewall on my ISP router/modem turned on along with the built-in firewall set to ‘medium’ for whatever that was worth. I was not hacked, but I can’t say for sure it was because of these settings or not.

I’ve seen some claim that UPnP was off and they still got hacked and lost data. Then again, perhaps they had UPnP on at some point and it opened up the ports on their router and after they turned off UPnP on the WD device they didn’t also turn off UPnP on their router and those ports may have remained open unbeknownst to them.

At this point, I think the prudent thing to do is leave your WD device off and await official word on how we can safely plug it back into our local networks without being exposed. According to the threat data they’ve released so far, all anyone needs is an IP address and they can get into the WD device.

Until WD offers official advice that’s also backed up by some major security experts, I would definitely just keep the device OFF unless it’s completely unhooked from the Internet and your local network is secure.

After reading the Ars Technica article yesterday, I immediately unplugged the ethernet cable without checking my device to see if it was hacked. To check to see if it was compromised I later went into my router settings and disabled its internal IP from being able to connect to the Internet. Only then did I plug the ethernet cable back in and use my local network to check to make sure I could log in and found no data was lost. Then I shut it down from the utility panel and I’ve kept it turned off since. It’s not my only copy of backups, but it would be very time-consuming to get my backups back in order if it was lost so I’m not taking any chances.

Even though I was able to do that with my router, I’m still not running the WD device until more information is forthcoming since I was using the router that came with my ISP and I don’t trust it to keep it off the Internet because the settings weren’t very robust.

1 Like

My device got wiped. I had not done the GRC scans in a year or more, but the last time I did them everything came up clean. I did do a scan a few minutes ago and again everything was clean, but of course my My Book is now off so I don’t know if it would have shown up as a vulnerability or not.

Can be other models afected? I have another WD NAS an EX2 ultra

1 Like

The security vulnerability is known since 2018:

WD replied in 2018:
The vulnerability report CVE-2018-18472 affects My Book Live devices originally introduced to the market between 2010 and 2012. These products have been discontinued since 2014 and are no longer covered under our device software support lifecycle.

So, WD knew in 2018 that there is a very, very heavy security vulnerability which will destroy all your data, and they did nothing. And now as it is exploited, they act like they are surprised.
I will never buy a WD NAS again.
Although the product is End-Of-Life, such a extreme security vulnerability must be fixed. Even Microsoft fixed EOL Exchange versions and EOL Windows XP systems after there was an extreme vulnerability exploited.

EDIT: There was an exploit even in 2014 where MyBook Live was still “supported”!

2 Likes

I have a question to the affected users:
In your NAS behind a firewall (e.g. NAT router), so that the web-interface cannot be accessed from outside?

If the reason for the exploit is “CVE-2018-18472”, then somebody needs to access the NAS using a HTTP request. If you are behind a Firewall/NAT , then the attack must be INSIDE your network (computer virus accessing other devices)! Please share information about your network configuration, as it is very important to find the issue.

If you are behind a firewall and your systems are not compromised, then it is unlikely that “CVE-2018-18472” is the reason.

EDIT: Actually, I just learned that you can access HTTP even if you are behind a NAT firewall, if you have UPnP enabled.

So, please disable UPnP as soon as possible!

2 Likes

i have the same problem. Switzerland. All data gone form a MBLD 2x2TB.
How can i check the firmware if I cannot access the UI anymore due to changed PW? How can i access the logs?
I have windows firewall acitve. But I do not know how to access windows defender logs

Had some success finding files using Disk Drill, but wife vetoed purchasing the Pro version (which would actually allow me to recover them). Looking at the previews, the files do seem to be there, but with some corruption. I’d guess that maybe a quarter of the pictures had some level of corruption on them.

Now trying again with photorec, since I’m being told to try one of the free options. Already seeing several thousand files and I’m just a few minutes in. Looks like it’ll take around 15 hours to image the whole drive though.

Sorry, should’ve been more clear on that. You want the largest partition of the disk you inserted. The other partitions contain boot and OS files.

Sorry, should’ve been more specific. You want the largest Linux-type drive, so in this case /DataVolume. The disk contains some other smaller partitions for OS and boot stuff.

Did you scan the large partition? (called /DataVolume on someone else’s computer, I wasn’t clear in my instructions on that). Also if you just had 2 GB of data then I’d expect it would go fast. And I guess the software couldn’t rediscover the movie files, maybe because it was in a format it didn’t support or something.

I scanned that OFJU binary VirusTotal

It appears to be part of the Linux.Ngioweb botnet https://blog.netlab.360.com/linux-ngioweb-v2-going-after-iot-devices-en/

(apologies if posting twice – I’m getting spam filtered)

1 Like

I scanned the OFJU binary: VirusTotal

It appears to be part of the Linux.Ngioweb botnet https://blog.netlab.360.com/linux-ngioweb-v2-going-after-iot-devices-en/

2 Likes

What is OFJU ?

It’s the payload downloaded by the script caught here: Help! All data in mybook live gone and owner password unknown - #201 by goosman

1 Like

Gets reset to nothing…blank. Don’t enter a pw, just press enter.
It will log you in, then change pw to what you want.

1 Like