News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Got a Western Digital My book?

    Home Forums AskWoody blog Got a Western Digital My book?

    • This topic has 33 replies, 12 voices, and was last updated 1 month ago by anonymous.
    Viewing 21 reply threads
    • Author
      Posts
      • #2373370
        Susan Bradley
        Manager

        Dan Goodwin on Twitter says: Western Digital is advising customers to disconnect their My Book storage devices while the company investigates the mass
        [See the full post at: Got a Western Digital My book?]

        Susan Bradley Patch Lady

        4 users thanked author for this post.
      • #2373371
        numike
        AskWoody Lounger

        I have WD My Passport that aint the same?

      • #2373380
        BillH
        AskWoody Plus

        I believe there is a difference between the MyBook and the MyBook Live.  The problem appears to only apply to the MyBook Live.

        6 users thanked author for this post.
        • #2373748
          Noel Carboni
          AskWoody_MVP

          I have many Western Digital MyBook NOT Live models.

          No remote interface and no loss of data so far here.

          In fact, I reformatted each of these drives when I first powered them up. Why wouldn’t I do so?

          -Noel

          1 user thanked author for this post.
          • #2375182
            anonymous
            Guest

            I have an external, independently housed and powered, usb 3.0 connected My Book Studio 3 TB WD backup hard drive (no networking); and I also deleted all the partitions except the UEFI 100 MB partition when I set it up, creating and formatting a single additional partition to occupy the rest of the 3 TB. Windows 7 Home Premium x64 sp1 found and downloaded and installed whatever drivers it required when I started using it. When I first got it and removed it from the packaging and plugged it in and examined its contents, it appeared to be set up for Apple, which is why I re-partitioned it. It has worked just fine for years and years. My only complaint is that it “goes to sleep” when not accessed for some time; and you have to access it and “wake it up” before doing a normal Windows shut down or Windows will log off but not shut down, waiting for the My Book Studio to respond, which it apparently never does.

             

      • #2373384
        anonymous
        Guest

        This seems to be My Book Live specifically, an internet connected storage product. Not relevant to the My Book models that are just local NTFS mass storage.

        5 users thanked author for this post.
      • #2373393
        b
        AskWoody MVP

        Also alerted by @cyberSAR here: WD My Book NAS Owners Heads Up!

        And the BleepingComputer link there has now added:

        Update 5:45 PM EST: Western Digital told BleepingComputer that they are actively investigating the attacks but do not believe it was a compromise of their servers.

        They believe that attacks were conducted after some of the My Book owners had their accounts compromised.

        “Western Digital has determined that some My Book Live devices are being compromised by malicious software. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live device received its final firmware update in 2015. We understand that our customers’ data is very important. At this time, we recommend you disconnect your My Book Live from the Internet to protect your data on the device. We are actively investigating and we will provide updates to this thread when they are available.” – Western Digital

        However, their statement doesnt explain how so many account were breached at approximately the same time.

        BleepingComputer has sent further questions regarding the attacks to Western Digital.

        WD My Book NAS devices are being remotely wiped clean worldwide

        Windows 10 Pro version 21H2 build 19044.1151 + Microsoft 365 (group ASAP)

        1 user thanked author for this post.
        • #2373399
          cyberSAR
          AskWoody Plus

          Not sure what’s going on just yet, but one of my clients has one and they use the My Cloud to access their drive remotely. When I called to tell them of the issue when I read of it,  they were at their bank because they were having issues today accessing their account online. Not sure it’s related, but had them unplug the device from the network. At this time it appears they haven’t lost any data.

          I told them 3 years ago this wasn’t the best way way to go with remote access but what do I know???

        • #2373435
          Alex5723
          AskWoody Plus

          A script has been run remotely on the WD drives :

          It is very scary that someone can do factory restore the drive without any permission granted from the end user…
          I have found this in user.log of this drive today:
          Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:
          Jun 23 15:14:05 MyBookLive shutdown[24582]: shutting down for system reboot
          Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
          Jun 23 16:02:29 MyBookLive _: pkg: wd-nas
          Jun 23 16:02:30 MyBookLive _: pkg: networking-general
          Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav
          Jun 23 16:02:31 MyBookLive _: pkg: date-time
          Jun 23 16:02:31 MyBookLive _: pkg: alerts
          Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive
          Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api
          I believe this is the culprit of why this happens…No one was even home to use this drive at this time…
          P.S. You can use support->create and save system report to get all the logs. Please check yours and see what happened.

          https://community.wd.com/t/help-all-data-in-mybook-live-gone-and-owner-password-unknown/268111/12

          1 user thanked author for this post.
        • #2373732
          Alex5723
          AskWoody Plus

          There is an update to WD response :

          Last Updated: June 25, 2021

          Description
          Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability. In some cases, the attackers have triggered a factory reset that appears to erase all data on the device.

          We are reviewing log files which we have received from affected customers to further characterize the attack and the mechanism of access. The log files we have reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries. This indicates that the affected devices were directly accessible from the Internet, either through direct connection or through port forwarding that was enabled either manually or automatically via UPnP.

          Additionally, the log files show that on some devices, the attackers installed a trojan with a file named “.nttpd,1-ppc-be-t1-z”, which is a Linux ELF binary compiled for the PowerPC architecture used by the My Book Live and Live Duo. A sample of this trojan has been captured for further analysis and it has been uploaded to VirusTotal.

          Our investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised. As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning.

          We understand that our customers’ data is very important. We do not yet understand why the attacker triggered the factory reset; however, we have obtained a sample of an affected device and are investigating further. Additionally, some customers have reported that data recovery tools may be able to recover data from affected devices, and we are currently investigating the effectiveness of these tools.

          The My Book Live series was introduced to the market in 2010 and these devices received their final firmware update in 2015….

          1 user thanked author for this post.
          b
      • #2373400
        anonymous
        Guest

        Maybe someone figured out how to mass re-roof their superb shingled drives, the ones that drove a mass exodus to Seagate.  Could be a lot of unhappy NAS (why use one of those things?) users soon.

        We’ll see.

      • #2373445
        anonymous
        Guest

        “Got a Western Digital My book?” -Susan Bradley

        Yes or maybe yes, I have a stack of them with the covers removed and well over 5 years old. Low internet useage I just get drivers for a number of boxes.

        ” Western Digital is advising customers to disconnect their My Book storage”

        Alex5723 June 25, 2021 at 12:42 am

        “A script has been run remotely on the WD drives”

        I know that correlation doesn’t equal causation. I and a junk Western Digital Black Caviar 10 years old, under 500GB, a real dumpster special but the free space suddenly went down from 50% to 11% While using it on local Lan as a shared drive for test backups. The box is a no-name old Chinese made rack style which used to control a raid 5 set with Intel Core 2 board and Window 7 Ultimate x64. The raid HDD’s are out and waiting for refurbishment or life extension with disk tools including low level format tools.

        The best guess is that the low space is a fluke but who knows. My partner may have increase the page file, restore point amount and hibernation. I am running a full scan on it now. Done. This windows defender does not show a virus. Will run other tools later.

         

      • #2373553
        rc primak
        AskWoody_MVP

        I take these key lessons from this incident:

        Re. WD MyBook Live apparent firmware hack:
        https://community.wd.com/t/help-all-data-in-mybook-live-gone-and-owner-password-unknown/268111/192

        TomTheOne (#191/200)
        Learn:

        A Disk RAID is not a backup
        Do not trust any device if the firmware has never been updated or has not updated since years.
        Don‘t establish cloud links. Never.
        Make sure you disable UPnP. Always.
        Protect your network and devices adequately.

        I would add:

        Always make sure you have multiple backups, at least one of which is NOT connected to the device or the Internet at any given time.

        Consider replacing the manufacturer’s firmware with something which you can update frequently, and is currently supported. This is usually some form of dd-wrt, as discussed and referenced in the WD Community Thread.

        This whole episode should be a shot across the bow fo anyone running any software, OS version or firmware in any device, which is not currently supported to the extent at least of getting security updates. I know a lot of folks who still run obsolete and out of support firmware, software and OSes, including Windows Home Server. (WHS does however have an active support community, which I suppose might diminish the potential impact of any new threats or vulnerabilities.)

        Personally, I have NO cloud-connected storage devices except the company-issued Comcast DVR and my TiVo (Bolt OTA) DVR. And three of each for offline backup drives.

        I hope maybe something in this post will help someone prevent such a catastrophe as has happened to so many unfortunate WD my Book Live owners. If I have made any errors or false assumptions here, I’m sure our AskWoody Community will be quick to correct me.

        -- rc primak

        • #2373557
          rc primak
          AskWoody_MVP

          Notes:

          Don’t establish cloud links. Never.

          I’m not so sure this is necessary to this extreme, as long as you have local backups which are fully protected from the Internet.

          Protect your network and devices adequately. 

          Impossible with older firmware or many IoT devices.

          -- rc primak

          1 user thanked author for this post.
          • #2373750
            Noel Carboni
            AskWoody_MVP

            You simply cannot have 100% control once you have connected your devices to the world. Unless you have written ALL the software yourself.

            You don’t really have ultimate control even if not connected. Imagine a time bomb – intentional or otherwise – or even just hardware failure (e.g. “I plugged it in but nothing happened” or “I plugged it in but can’t access any data”). It’s all a game of probabilities. You want to sway the odds in your favor.

            Yes, multiple backups of different sorts is a good idea.

            Remember when we could back critical data up to DVDs or BluRays? How did that fall by the wayside without an alternative? Heck, I don’t even have an optical drive in my latest system. They’ve simply fallen out of favor. Things that allow the end user to retain control have fallen out of favor.

            -Noel

            1 user thanked author for this post.
      • #2373565
        blueboy714
        AskWoody Plus

        I have 3 Western Digital My Passport external hard drives.  I’m not sure if they are the same as WD My Book or My Book Live that seem to having problems right now or could have similar issues later. My WD My Passport external HDs are not having problems – probably because they aren’t storing data on the Cloud (which I avoid like the plague).

        • #2373567
          rc primak
          AskWoody_MVP

          Those you list are not connected to the Internet. They are not getting firmware updates from WD over the Internet. So no, they are not the affected MyBook types.

          -- rc primak

      • #2373568
        vandermeer
        AskWoody Lounger

        I have one, but it’s “only” on my home network. My home network, though, is obviously connected to the web, so I pulled the plug on the WD just in case.

        Before I did, I checked the WD. Everything was still there, but better safe than sorry.

        I also have two Synology NAS drives, but like the WD, they’re not accessible from outside my router.

        Synology seems much, much more serious about protecting their customers than WD. No update since 2015 is inexcusable.

        Thanks to Susan for the heads up.

      • #2373575
        anonymous
        Guest

        If your Data is that Valuable the an LTO Tape Drive is not that expensive relative to never being able to recover that Valuable data! And make copies in Triplicate!

        • #2373656
          Paul T
          AskWoody MVP

          An external USB hard disk is the cheapest (and best) way to backup your data safely. Store the disk in a fireproof safe after use.

          cheers, Paul

      • #2373585
        b
        AskWoody MVP

        The WD My Book Live flaw exploited this week was at least three years old:

        Examine the CVE attached to this flaw and you’ll notice it was issued in 2018. The NVD’s advisory credits VPN reviewer Wizcase.com with reporting the bug to Western Digital three years ago, back in June 2018.

        In some ways, it’s remarkable that it took this long for vulnerable MyBook devices to be attacked: The 2018 Wizcase writeup on the flaw includes proof-of-concept code that lets anyone run commands on the devices as the all-powerful “root” user.

        Western Digital’s response at the time was that the affected devices were no longer supported and that customers should avoid connecting them to the Internet. That response also suggested this bug has been present in its devices for at least a decade.

        These products have been discontinued since 2014 …

        If you’d still like to keep your MyBook connected to your local network (at least until you can find a suitable backup for your backups), please make double sure remote access is not enabled in your device settings (see screenshot above).

        MyBook Users Urged to Unplug Devices from Internet [Krebs on Security]

        Windows 10 Pro version 21H2 build 19044.1151 + Microsoft 365 (group ASAP)

        2 users thanked author for this post.
      • #2373749
        Alex5723
        AskWoody Plus

        In fact, I reformatted each of these drives when I first powered them up. Why wouldn’t I do so?

        I did the same with my 3tb, 5tb, 8tb WD drives.
        I always format new drives which usually come formatted with FAT32.

        1 user thanked author for this post.
      • #2373754
        Noel Carboni
        AskWoody_MVP

        Not directly related to this subject, but applicable in the general realm of “protecting valuable data” and intended to get thoughts flowing…

        How many have implemented backup schemes designed to protect against data loss from e.g., ransomware, malware, etc.?

        Imagine, for example, having a system on the LAN that can reach out and connect to other systems via Windows Networking, but which does not itself share data. That system is not normally used for anything interactive but runs autonomous jobs to pull data from the other systems whenever it can and backs it up to big internal or even external USB MyBook (NOT Live) drives.

        In my case I have accomplished this with a small, low power Win 7 system that is not used for interactive operations, only serves a few local purposes, and is armed to the teeth with uncommon security measures.

        -Noel

        • #2373756
          anonymous
          Guest

          using percentage firewall rules and hosting malware as security sounds about right these days aka ‘honeypot devices’ to protect from intruders. Fight fire with fire?

        • #2373773
          anonymous
          Guest

          You may be right there although it will take resources to implement such a strategy.  I am not affected by the current WD issue but am well aware that “there, but for the grace of God, go I”.

          You have to ask yourself about the failure modes of the options you have chosen.  What will fail, how will it fail, when will it fail, and what can I do to recover the situation?

          Will your average user be willing to spend the money upfront, and then provide the maintenance, that such resilience requires?

           

      • #2373807
        vandermeer
        AskWoody Lounger

        I’m always pleased to show my ignorance.
        🙂

        The WD statement quoted above says the following:
        “The log files we have reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries. This indicates that the affected devices were directly accessible from the Internet, either through direct connection or through port forwarding that was enabled either manually or automatically via UPnP.”

        As I mentioned in my posting above, my WD My Book Live (from which I’ve pulled the electricity plug), had no internet connection;it was behind my router/firewall.

        What I don’t understand from the WD post is “…through port forwarding that was enabled either manually or automatically via UPnP.”

        How, please, can I find out whether UPnP is active in my “system”, which includes a router, a non-managed switch, three computers, three printers, and two Synology NAS devices, as well several laptops, cell phones, and tablets connected to my router via WiFi?

        Thank you.

      • #2373863
        Paul T
        AskWoody MVP

        How, please, can I find out whether UPnP is active in my “system”

        It may be enabled by default on your router. This is the only place you really need to worry about it.

        What is your router model?

        cheers, Paul

      • #2373874
        Alex5723
        AskWoody Plus

        had no internet connection;it was behind my router/firewall.

        All hacked/wiped WD live drives where behind router/firewall.
        It is enough that the router in connected to the Internet in order to access the drives.

      • #2374592
        Alex5723
        AskWoody Plus

        Hackers exploited 0-day, not 2018 bug, to mass-wipe My Book Live devices

        Western Digital removed code that would have prevented the wiping of petabytes of data

        Last week’s mass-wiping of Western Digital My Book Live storage devices involved the exploitation of not just one vulnerability but also a second critical security bug that allowed hackers to remotely perform a factory reset without a password, an investigation shows.

        The vulnerability is remarkable because it made it trivial to wipe what is likely petabytes of user data. More notable still was that, according to the vulnerable code itself, a Western Digital developer actively removed code that required a valid user password before allowing factory resets to proceed…

        1 user thanked author for this post.
        b
      • #2374680
        bowled845
        AskWoody Plus

        Just got an email on 6/29/2021 @ 10:32 pm CDT from WD telling me to disconnect my My Book Live Device. Seems to be a little late to be sending this to a customer, when this discussion was started on June 24, 2021. Mine is a non-functioning device that hasn’t been used in about 3-4 years.

      • #2374965
        vandermeer
        AskWoody Lounger

        How, please, can I find out whether UPnP is active in my “system”

        It may be enabled by default on your router. This is the only place you really need to worry about it.

        What is your router model?

        cheers, Paul

        Thank you for your reply.

        I’m in Berlin and have a “Speedport Smart 3” router, which is a product of the “Deutsche Telekom”, the former government communications monopoly and still the country’s biggest provider – as far as I know.

        Anyway, a bit of reading just now just revealed that my router – and all the routers in the “Speedport” series – don’t even have the UPnP function. It seems that in its “eternal maternal” role as Germany’s communications babysitter, the ex-monopolist decided to distribute only idiot-proof products.

        Obviously lots of people don’t want to be “babysat”, so they opt for “Fritzboxes” from the German company AVM or go for Netgear or whatever.

        People like me, though, who need all the protection we can get in the contemporary internet sharktank, are quite content that someone has closed at least one door whose potential for danger has, at least apparently in this case, been exposed for all to see – and (for the unfortunate) to feel.

        Having written all this, my MyBook Live still has its plugs pulled and will remain de-electrified till the beanbrains at WD reveal their solution to the crisis.

        I must admit that having found out about my router’s lack of UPnP makes me feel a bit better about leaving my two Synology drives working on my LAN.

        Just for the record, none of my NAS devices was ever intentionally opened to the Internet. I only use them as a convenient backup solution on my little home LAN.

        Apparently, though, similar scenarios were enough to cause lots of poor folks heartache due to WD’s lack of professionalism.

      • #2374972
        cyberSAR
        AskWoody Plus

        https://www.westerndigital.com/support/productsecurity/wdc-21008-recommended-security-measures-wd-mybooklive-wd-mybookliveduo

        My Book Live WDBACG0030HCH
        My Book Live WDBACG0020HCH
        My Book Live WDBACG0010HCH
        My Book Live Duo WDBVHT0080JCH
        My Book Live Duo WDBVHT0060JCH
        My Book Live Duo WDBVHT0040JCH

        Advisory Summary

        Immediately disconnect your My Book Live and My Book Live Duo from the Internet to protect your data from ongoing attacks.

        For customers who have lost data as a result of these attacks, Western Digital will provide data recovery services. My Book Live users will also be offered a trade-in program to upgrade to a supported My Cloud device. Both programs will be available beginning in July, and details on how to take advantage of these programs will be made available in a separate announcement.

        1 user thanked author for this post.
        b
      • #2375081
        Paul T
        AskWoody MVP

        Immediately disconnect your My Book Live and My Book Live Duo from the Internet

        Pity they don’t tell you how to do this!

        cheers, Paul

    Viewing 21 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, no politics or religion.

    Reply To: Got a Western Digital My book?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.