clone WD MyBookLive NAS
There has been an attack on WD MyBookLive NAS devices.
I understand MBL run linux.
I woke up this AM to find MBL has been factory reset.
The clue was the Password well known to me did not work.
By searching the WD forum I found many others suffering from the same.
I have tried to clone the MBL NAS drive, but have not been able to find a tool that recognizes the drive. I see Fog and Clonzilla, but I am not a linux guy and not sure where or how to start.
Any help would be much appreciated.
Thank you, Jeff
@jacyjacy77 While I realize this won’t help you, I do find this entreging from a secops perspective. So the bad actors were able to compromise the cloud hosting provider, compromise the command and control function to reset the devices. This is just a postmortum question, but can you manage these devices without a cloud account? Is there local management features? If you can manage them locally, the simple security fix is to assign a static IP address and subnet mask to this device but don’t set a gateway address. The device will not know how to leave your local network. There will be no chance for it to access the cloud controller or receive external commands. That way the device should remain functionally locally and not have the risk of external compromise. Firmware updates haven’t been issued since 2015 so unless WD fix this hole with a firmware update that probably the easiest and most assured way to keep using this device if you are so inclined.
This is the problem:
A remote script was run that issued FactoryReset to WD MBL drives all over the world.
Thank you for your interest, Jeff
WD MyBookLive NAS
I can appreciate your situation. These portable nas devices are problematic to access externally. Many of these systems have under powered processors and typically ARM or ATOM based processors. The typically run some form of embedded linux OS based on buildroot. Without knowing much about linux it may be difficult to clone the drive. If its a ARM based processor you can’t boot native x86 based operating systems.
If this nas has a removable sata drive, you maybe able to take that disk to another computer, plug it in and mount the disk (again this requires linux experience) on that computer. You may be able to boot a linux on a stick OS like puppy linux. Once in puppy linux gpartd may be able to identify and mount the partitions. Once you can read the disk you can then copy the files off.
If you are looking for a preventative steps once you recover the NAS, if the device has a usb port you maybe able to attach a usb hard drive (or sata dock) and backup the contents of the NAS to removable media (understand this means to take the media away from the NAS once the backup is done. This would give you a redundant off-line backup of your NAS.
The final comment is, how was this NAS infected? That NAS should have been connected to your internal network and not directly accessible from the outside. Is this device connected to some cloud account, where the bad guys compromised that cloud account and then access your NAS? Unless you address how the device became infected you will experience this issue over and over.