I think one argument is the timing. It seems like all of the affected users were all hit within a very short time frame, like within hours of one another. That doesn’t sound like a threat actor doing a world wide port scan but someone that had access to WD user ip addresses.
It did use the rest api but it came to way too many people all at the same time. It also is telling that several people are in this thread that had never used the cloud features, never enabled them, and never had opened any ports (the wd support people checked ports on several people too).
I’m not saying it wasn’t possible but it seems to correspond with an update check performed by the devices daily.
Although, I guess it’s possible the malware payload could have been delivered anytime, even months ago, and it was set to activate at a specific time. That would also explain the timing and not having to come from WD servers.
Another victim here too - all gone and a reset login screen fingers crossed WD release some kind of recovery fix.
I am somewhat lucky in that I am slightly paranoid and invested in a EX2 Ultra recently and was in the process of copying over photos and video from upto 15 years worth in chunks. But I had loads I haven’t gotten to including my Gran who recently passed away. There was loads of old project work too and collected image sets. Absolutely gutted as its irreplaceable.
Hi Andy, did you get an owner’s password screen when you first tried to log in after the disc was wiped out?, if you did, how did you by pass that screen? It seems like some people got that screen, including me, and some didn’t, thx
WE NEED A FIX! WHERE ARE MY FILES
So far @Jomusichn is the only person who claims he did NOT have UPnP enabled. Seven other reports from affected users who did have it enabled.
Even if it is not causing this problem, it is always good to disable UPnP. It’s horrifyingly insecure.
@GeoffB please check your router to see if UPnP is enabled and report back.
I run a Pi-hole on my network and the stats from my now unplugged drive were through the roof, thousands of connections to all sorts of random-looking domain names in the last 24 hours:
Please see the latest PRODUCT SECURITY BULETTIN UPDATE for My Book Live at the following link:
That linked article says that attack vector was able to be executed by being able to be:
“directly connected to the affected My Book Live devices from a variety of IP addresses in different countries. This indicates that the affected devices were directly accessible from the Internet, either through direct connection or through port forwarding that was enabled either manually or automatically via UPnP. Additionally, the log files show that on some devices, the attackers installed a trojan with a file named “.nttpd,1-ppc-be-t1-z”, which is a Linux ELF binary compiled for the PowerPC architecture used by the My Book Live and Live Duo.”
What this doesn’t explain is how the threat actors were able to gain privileges on your WD devices to be able to execute that trojan. Can you confirm that there is an existing security vulnerability in the MyBook Live (and apparently now the Live Duo) which allowed these threat actors to exploit that vulnerability allowing them to execute the trojan?
Yes. From the linked article: NVD - CVE-2018-18472
Anyone running a pihole or otherwise logging dns should check the logs for how far back they go. It’s possible these were owned for years and have been stealing data and doing bad stuff since 2015 or so.
Okay, my device never got hit by this but I shut it down. See my previous post on that here:
I got tired of waiting on WD to give out any detailed advice and blocked all WAN incoming ports to it on my ISP’s router/modem or at least I hope I did. I’m, of course, going to leave the router’s NAT firewall engaged along with the router’s built-in firewall set to ‘medium’ as I had before.
UPnP was already previously off on both the WD MyBook Live and the router, also remote access was already previously off. Maybe that’s why I didn’t get hit. I’m going to resume backup on it tonight and just leave it on and see what happens. It’s not my only backup so if I get hosed it’s not the end of the world, but I won’t like it as it’ll be a big time-waster.
I’ll be a guinea pig and see if I get compromised and will report back if I do.
I’m very sorry to all those that lost their data and hope you can salvage what you can. I know how it feels because I’ve gone through it myself many, many years ago and even went through depression because of some of the assorted losses (some my fault, some not).
Please make it a learning experience but do not beat yourself up for it nor allow the online peanut gallery to make you feel worse. A lot of people that are trashing others online probably won’t admit that they’ve also lost at least some data in the past as well before they learned to keep duplicates of everything, To err is human.
As I was editing this, an automatic backup was in progress and seem to be working fine so far. Fingers crossed.
If you press the reset button while the MBL is active for 4 secs the password gets reset without clearing any data.
Awesome, thx, how is the data recovery going?
Like everybody else, I lost all of my 2 TB data. Now my drive shows only 3 GB used. Hope WD finds a solution to recover the data. I have not tried but was anyone successful in pulling the drive out of the casing and run disk recovery?
Blaming it on a malware is an easy cop out when they knew the exploit existed for years.
You are really amusing guys at WD. First you leave all your user behind with crappy default settings and unpatched security issues, and now you talk about how ‚serious you take the data of your customers‘.
Be clear is the best you can do:
- WD ignored obviously all warnings from security engineers
- There will never be a fix
- Your data has gone, don’t touch your drive send it to a recovery lab, if important data was on it.
- Pay the price for not renewing unsupported hardware and not having backups
- Choose the device(es) for your data wisely next time
As another person said earlier: The problem is well known and documented since years and WD plays surprised like a bad actor.
People here say how much important data they lost. I say, the data is as important to many as currency, so they should protect it equally. I’ve had countless friends lose data, not because of hacks, but because they did not keep backups, or thought that an external drive was “it”. I’ve seen tears over mechanical failures, and decades of memories lost, and I could do nothing, but shrug my shoulders. If information is important, take good care of it. Multiple backups. Offline cold storage. If something goes to the cloud, make sure every single bit is encrypted with best available methods. Do not rely on corporate reassurances. Their job is to sell you stuff, or to sell you out, when it fits the bottom line.
I hope this serves as a wakeup call for those putting too much trust into Internet Of Things. It was never safe and never will be. Assume that this can happen to anything. Today it’s an external HD, tomorrow it’ll be your own operating system. Hackers aren’t going away any time soon, and neither do incompetent firmware programmers.
I have exactly same issue with my 2T my book live yesterday.
I am not able log in and years of data saved on this drive completely gone.
Please help !!!
Just noticed this, unable to log in, kept saying password was wrong, tried to reset the password but I don’t receive the reset email, I have disconnected the drive, just hoping nothing is lost, and a fix will be found soon