Help! All data in mybook live gone and owner password unknown

I would recommend openwrt. I’ve used it a bunch. You could get in via ssh and delete or otherwise disable the wipe code, but we don’t know the extent of the control the bad guys have is. It’s possible they could just turn it back on. It’s an outbound request so it’s not reliable to block a specific port. You can block it from everything in and out, but I still wouldn’t trust it.

Openwrt is a little harder to mess with as it’s not really for nas devices. My current nas is just Debian 10 on a regular pc and its working great for years and is fully patched.

There are tools to do data recovery on your own, but I cannot recommend that you do it yourself. Power pff the device and do not write anything to the disk, do not re-index them etc.
Bring your device to a trustworthy data rescue service. They might be able to recover the data

Yeah, I’m not sure it wasn’t used on this attack partially, but this one almost certainly came from the wd servers and there was not a whole lot you could do to stop it other than replace the device last year.

1 Like

Help. Oh my gosh my MBL is wiped clean. This is very, very bad. It’s hard to even try and think of all the data that was there.
WD!!! How did this happen?? This needs to be fixed. I will have to spend hours backing up and searching for whatever I still have. So much data will never be found.

Thank you so very much for your iput. I got a quote for data recovery and it was $2,000 to $5,000. Unbelievable.

Why do you think the attack came from the WD CNC servers? The theory that UPnP or PortForwarding was used to access the vulnerable REST API sounds very reasonable

I feel really sorry for those who lost their data, especially those who lost family pictures, but many in this forum saw that coming.
The day where Western Digital paid the price for forcing their users to enable remote access to their devices, has come. I know, they won’t learn the lesson.

2 Likes

This information would have been very helpful if you had email all your WD mybooklive owners, I just found out thru a Reddit post and went to check on my network hard drive just to see it’s been factory restore 2 days ago! So to advise to disconnect is to advise people looking for answers of a hack that already happen! No one is searching answers for a problem that hasn’t yet occur yet!

1 Like

I think one argument is the timing. It seems like all of the affected users were all hit within a very short time frame, like within hours of one another. That doesn’t sound like a threat actor doing a world wide port scan but someone that had access to WD user ip addresses.

4 Likes

It did use the rest api but it came to way too many people all at the same time. It also is telling that several people are in this thread that had never used the cloud features, never enabled them, and never had opened any ports (the wd support people checked ports on several people too).

I’m not saying it wasn’t possible but it seems to correspond with an update check performed by the devices daily.

Although, I guess it’s possible the malware payload could have been delivered anytime, even months ago, and it was set to activate at a specific time. That would also explain the timing and not having to come from WD servers.

2 Likes

Another victim here too - all gone and a reset login screen fingers crossed WD release some kind of recovery fix.

I am somewhat lucky in that I am slightly paranoid and invested in a EX2 Ultra recently and was in the process of copying over photos and video from upto 15 years worth in chunks. But I had loads I haven’t gotten to including my Gran who recently passed away. There was loads of old project work too and collected image sets. Absolutely gutted as its irreplaceable.

Hi Andy, did you get an owner’s password screen when you first tried to log in after the disc was wiped out?, if you did, how did you by pass that screen? It seems like some people got that screen, including me, and some didn’t, thx

WE NEED A FIX! WHERE ARE MY FILES :sob: :sob:

So far @Jomusichn is the only person who claims he did NOT have UPnP enabled. Seven other reports from affected users who did have it enabled.

Even if it is not causing this problem, it is always good to disable UPnP. It’s horrifyingly insecure.

@GeoffB please check your router to see if UPnP is enabled and report back.

2 Likes

I run a Pi-hole on my network and the stats from my now unplugged drive were through the roof, thousands of connections to all sorts of random-looking domain names in the last 24 hours:

Please see the latest PRODUCT SECURITY BULETTIN UPDATE for My Book Live at the following link:

1 Like

That linked article says that attack vector was able to be executed by being able to be:

“directly connected to the affected My Book Live devices from a variety of IP addresses in different countries. This indicates that the affected devices were directly accessible from the Internet, either through direct connection or through port forwarding that was enabled either manually or automatically via UPnP. Additionally, the log files show that on some devices, the attackers installed a trojan with a file named “.nttpd,1-ppc-be-t1-z”, which is a Linux ELF binary compiled for the PowerPC architecture used by the My Book Live and Live Duo.”

What this doesn’t explain is how the threat actors were able to gain privileges on your WD devices to be able to execute that trojan. Can you confirm that there is an existing security vulnerability in the MyBook Live (and apparently now the Live Duo) which allowed these threat actors to exploit that vulnerability allowing them to execute the trojan?

2 Likes

Yes. From the linked article: NVD - CVE-2018-18472

1 Like

Anyone running a pihole or otherwise logging dns should check the logs for how far back they go. It’s possible these were owned for years and have been stealing data and doing bad stuff since 2015 or so.

3 Likes