If you have a Western Digital MyBook Live external drive unplug it before you lose data

WD MyBook Live owners around the world have had their entire drives wiped by a forced factory reset. Wow.

See this support thread on the WD forums.

Here is an article about the issue on Bleeping Computer.

Someone in that thread posted this:
https://community.wd.c​om …d-my-book-live-duo/268147

"Western Digital has determined that some My Book Live devices are being compromised by malicious software. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live device received its final firmware update in 2015. We understand that our customers’ data is very important. At this time, we recommend you disconnect your My Book Live from the Internet to protect your data on the device. We are actively investigating and we will provide updates to this thread when they are available.

Product Security Bulletin: WDC-21008 Recommended Security Measures for WD My Book Live and WD My Book Live Duo | Western Digital"

Wilt wrote in post #19251939
Someone in that thread posted this:
https://community.wd.c​om …d-my-book-live-duo/268147

"Western Digital has determined that some My Book Live devices are being compromised by malicious software. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live device received its final firmware update in 2015. We understand that our customers’ data is very important. At this time, we recommend you disconnect your My Book Live from the Internet to protect your data on the device. We are actively investigating and we will provide updates to this thread when they are available.

Product Security Bulletin: WDC-21008 Recommended Security Measures for WD My Book Live and WD My Book Live Duo | Western Digital"

Yeah I read that and I don't believe them. Or rather, I don't believe the tone of that message, which is essentially that the exploit is the users fault and not WD's. There are a number of users who have reported that their devices were wiped even though they have their router firewall up with no open ports. Users have confirmed there were no open ports by 1. They are technically savvy and know how to secure their network and 2. WD Tech Support had some affected users run port scans and they confirmed that there were no open ports. That then leaves a few possibilities of how the drives were wiped if the firewall didn't have any ports open. Also, there are users who said no one was at home and when they returned their devices were wiped.

One is that someone on the network introduced the malware by browsing a website that side-loaded the malware (the computer establishes a connection with the remote server which allows the remote server to traverse the firewall) which then spread laterally in their network looking specifically for WD devices it could compromise. This seems highly unlikely as if that were the case you wouldn't see all of these affected users across the world being compromised on the exact same day.

The second possibility is that WD servers were compromised. These WD MyBooks are designed to "phone home" to WD servers. The simplest explanation is then that the MyBooks asked WD's servers, "Hey, what's up. Any new goodies you have for me", and the WD servers said, "Yep, download this firmware which will go ahead and factory restore your drive and wipe it".

The third possibility I can think of is that the MyBooks UPnP opened ports on users firewalls, a threat actor was aware of this and which port(s) are opened by UPnP, and then exploited that, either by a vulnerability in the MyBooks firmware or by compromised user passwords which they were reusing for their WD login credentials. This final scenario is the only explanation that I can think of that puts some of the onus on users. Even then though the exploit would not have worked without UPnP enabled, which is one of the biggest security risks out there and why no one and no company should even allow it on any network facing device (in my opinion). I suppose another similar scenario that could also fit in with this is that the attack vector was a non-WD IoT device that was comprised and all of these users happened to have that same device, and the malware entered their networks that way and then exploited the MyBooks. Unlikely.

Any way you look at it, it is hard to imagine a scenario where WD isn't at least partially at fault for this.

It must be all in the reading, as I detect no blame directed to the users.
"Malicious software...led to factory reset...erase all data...disconnect from internet to protect data...we are investigating...will provide updates"

From experience, hackers try to break into widely used brands/models of NAS all the time. I cannot leave my Synology NAS turned on constantly, because my ISP frequently detects and blocks attempted breakin from all over the globe, which leaves my NAS offline. I have even changed the address for access to deviate from default address, and it reduced but not eliminated the hack attempts; so I only turn it on about once a month to copy files from PC that I want to have backup copies, and then shut it down.

The WD NAS automatically checks the company website for updates, and no customer firewall prevents outbound communication; a hacker enters a 'reset' command on the WD server that is read by any customer NAS checking for updates, and the problem begins. WD is victimed, and the customer suffers. Customer logs prove that sequence to be happening. In theory, something like that could happen to Synology customers, too...the customer port for Updates gives hackers a Trojan horse entry point, particularly when customer systems are set up for automatic update check and install (which I don't...I wait for email from Synology to alert me of updates then I manually choose which to install)

The latest update here identifies the problem:

https://www.bleepingco​mputer.com …ly-wiped-clean-worldwide/


The devices are all running on an outdated version of linux that has a known vulnerability. If the devices are connected directly to the internet, or have port forwarding enabled they can be easily accessed.
It appears that part of the attack has also involved loading trojan on some devices.


It's a not so subtle reminder that a NAS is not a backup, that you need to have multiple copies of your data, and that the copies need to be physically and geographically separated.

It's also a good reason to avoid the more consumer focused devices for the storage of important data, they will never get long term support, and often become vulnerable to attack when support ends.
In this case the WD MyBook Live drives have been not received an update since 2015, and it has not been supported since.

None of it makes WD look good either, although it's not technically their fault, they responded quickly and none of their systems appear to have been compromised, if they had developed the devices with more security in mind and provided more updates, or a warning to users, the vulnerability may have been closed.

Apparently WD was made aware of this exploit back in 2017. The researcher who notified WD said they did not respond and after a year he released working code for the exploit, which as we have seen is very severe. WD's response was that those devices were no longer supported. Which is a pretty lame response considering the severity of the exploit. A user on that first thread I linked said the fix for the exploit is literally two lines of code, which he posted along with instructions on how to patch the WD devices.

I have quite a few drives that I have "shucked" from WD external drives. I will continue to do so but I would never buy a network facing device from a company with so little regard for the security of those devices.

Bcaps wrote in post #19252986
Apparently WD was made aware of this exploit back in 2017. The researcher who notified WD said they did not respond and after a year he released working code for the exploit, which as we have seen is very severe. WD's response was that those devices were no longer supported. Which is a pretty lame response considering the severity of the exploit. A user on that first thread I linked said the fix for the exploit is literally two lines of code, which he posted along with instructions on how to patch the WD devices.

I have quite a few drives that I have "shucked" from WD external drives. I will continue to do so but I would never buy a network facing device from a company with so little regard for the security of those devices.

Moral of the story, don't keep all your eggs in one basket.

Moppie wrote in post #19252835
It's a not so subtle reminder that a NAS is not a backup, that you need to have multiple copies of your data, and that the copies need to be physically and geographically separated.

And, in this particular case, they all cannot be connected to the internet, either!

Channel One wrote in post #19272697
Moral of the story, don't keep all your eggs in one basket.

nor should you rely on a single vendor

The pattern I have seen, in the case of WD, is they only care about 'sell one more harddrive'.

• A USB connected WD MyDrive failed on me, and upon cutting the HD out of the WD USB-connected enclosure, it worked just fine! The USB electronics or HD interface circuit had failed.
  
• An internet connected WD had this Trojan (topic of this thread) and 'we do not currently support software for that drive' was WD response