ATTENTION! Very important message from WD customer service!
Western Digital has an important announcement for registered Last Updated: July 8, 2021 My Book Live or My Book Live Duo customers. Immediately disconnect your My Book Live device from the Internet to protect your data from ongoing attacks. You can disconnect the device and continue to access your data locally by following instruction:
Some My Book Live devices connected to the Internet are being compromised by attackers and in some cases, the attackers have triggered a factory reset that appears to erase all data on the device.
We are here to help. Although this product family is no longer sold or supported by Western Digital, we know some of our customers have been impacted and we want to help. If you have lost your data as a result of these attacks, we will provide data recovery services which will be available beginning in July.
We know how important your data is to you and are committed to helping you protect it. We are launching a trade-in program that will allow you to upgrade from your My Book Live to one of our supported My Cloud devices.
We will provide details about how to take advantage of these programs in a separate email.
In case you are concerned about other products and services from Western Digital, our investigation of this incident has not found any evidence that our cloud services, firmware update servers, or customer credentials were compromised. The vulnerabilities being exploited are limited to the My Book Live devices, which were introduced to the market in 2010 and received a final firmware update in 2015. These vulnerabilities do not affect our current My Cloud product family.
The latest information about this incident will be available on
CONTACT SERVICE TEAM How to restore data in this case? It is Simple! It is regular logical problem and all data still on hard drive.
The attackers simply run reset by default settings and cleaning up device without overwriting the data. So all your data is still on the hard drive. To access the device, you just need to enter the factory username and password. (admin/admin) and if in case if there is no data, then in order to restore the data, you need to scan all the metadata of the hard disk and build a file system. in this case data recovery software should be used. Possible restore journal data, and catalog file, copy of old metadata to rebuild whole file structure with partition.
Data recovery Expert can restore your data in this case.
In our lab we use more deeped data recovery solution for this incendent.
We use application and direct SSH connection or network WD hard drive scanner for data recovery developed special for all WD NAS My book devices.
Price in this case:
Option 1: Free - with coupon from WD manufacture, Reference from WD support or for our data recovery partners and members. Also we provide free service for distributors or authorized computer store.
Option 2: $350 Per case in regular data recovery.
Questions - welcome
More information about what really happened and explanation from WD.
Western Digital has determined that Internet-connected My Book Live and My Book Live Duo devices are under attack by exploitation of multiple vulnerabilities present in the device. In some cases, the attackers have triggered a factory reset that appears to erase all data on the device.
Data Recovery and Product Trade-In Programs Western Digital is offering a data recovery service program to help customers who have lost data as a result of these attacks. My Book Live customers are also offered a trade-in program to upgrade to a supported My Cloud device. You can find more details on these programs by following the links below:
My Book Live and My Book Live Duo: Data Recovery Service Offer My Book Live and My Book Live Duo: Trade-In Offer
Analysis of Newly Identified Vulnerability CVE-2021-35941 The My Book Live firmware is vulnerable to a remotely exploitable command injection vulnerability when the device has remote access enabled. This vulnerability may be exploited to run arbitrary commands with root privileges. Additionally, the My Book Live is vulnerable to an unauthenticated factory reset operation which allows an attacker to factory reset the device without authentication. The unauthenticated factory reset vulnerability been assigned CVE-2021-35941.
We have heard concerns about the nature of this vulnerability and are sharing technical details to address these questions. We have determined that the unauthenticated factory reset vulnerability was introduced to the My Book Live in April of 2011 as part of a refactor of authentication logic in the device firmware. The refactor centralized the authentication logic into a single file, which is present on the device as includes/component_config.php and contains the authentication type required by each endpoint. In this refactor, the authentication logic in system_factory_restore.php was correctly disabled, but the appropriate authentication type of ADMIN_AUTH_LAN_ALL was not added to component_config.php, resulting in the vulnerability. The same refactor removed authentication logic from other files and correctly added the appropriate authentication type to the component_config.php file.
Analysis of the Attack We have reviewed log files which we have received from affected customers to understand and characterize the attack. The log files we reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries. Our investigation shows that in some cases, the same attacker exploited both vulnerabilities on the device, as evidenced by the source IP. The first vulnerability was exploited to install a malicious binary on the device, and the second vulnerability was later exploited to reset the device.
On some devices, the attackers installed a trojan with a file named .nttpd,1-ppc-be-t1-z, which is a Linux ELF binary compiled for the PowerPC architecture used by the My Book Live and Live Duo. A sample of this trojan has been captured for further analysis and it has been uploaded to VirusTotal.
Our investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised. As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning. The vulnerabilities being exploited in this attack are limited to the My Book Live series, which was introduced to the market in 2010 and received a final firmware update in 2015. These vulnerabilities do not affect our current My Cloud product family.
Affected Products Product
My Book Live WDBACG0030HCH
My Book Live WDBACG0020HCH
My Book Live WDBACG0010HCH
My Book Live Duo WDBVHT0080JCH
My Book Live Duo WDBVHT0060JCH
My Book Live Duo WDBVHT0040JCH
Advisory Summary Immediately disconnect your My Book Live and My Book Live Duo from the Internet to protect your data from ongoing attacks.
For customers who have lost data as a result of these attacks, Western Digital will provide data recovery services. Western Digital is also offering My Book Live customers a trade-in program to upgrade to a supported My Cloud device.