Data Breach

Ubiquiti security breach may be a catastrophe

The data breach disclosed by Ubiquiti in January could be just the tip of the iceberg, a deeper incident could have hit the company.

In January, American technology vendor Ubiquiti Networks suffered a data breach, it sent out notification emails to its customers asking them to change their passwords and enable 2FA for their accounts.

At the time of the disclosure, the company announced to have discovered unauthorized access to some of its systems managed by a third-party cloud provider.

It also added it was not aware of any access to any databases that were containing user data.

Now new information emerges from the investigation, the situation could be potentially catastrophic according to a source involved in the incident response who spoke on condition of anonymity

The source explained that the story of the breach of a third-party cloud provider was a fabrication to minimize the impact on the company stock price.

“Now a source who participated in the response to that breach alleges Ubiquiti massively downplayed a “catastrophic” incident to minimize the hit to its stock price, and that the third-party cloud provider claim was a fabrication.” states the popular investigation Brian Krebs.

[the data breach was] “downplayed and purposefully written to imply that a 3rd party cloud vendor was at risk and that Ubiquiti was merely a casualty of that, instead of the target of the attack.”

The source also sent a letter to the European Data Protection Supervisor to provide additional details about the incident.

“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers,” the source wrote in a letter sent to the European Data Protection Supervisor. “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.”

According to the source, the company launched an investigation into the incident in December 2020, after the intruders gained full access to Ubiquiti databases at Amazon Web Services (AWS), which was the alleged “third party” involved in the breach.

Finally, the attackers gained root administrator access to all AWS accounts of the vendor, including all S3 data buckets, all databases, all user database credentials, secrets used to forge single sign-on (SSO) cookies, and logs.

The source added that the attackers had access to privileged credentials that were previously stored in the LastPass account of an Ubiquiti IT employee.

In this scenario, attackers were able to remotely access every Ubiquiti cloud-based device used by its customers

The source also revealed that in late December 2020 security experts at Ubiquiti discovered that someone with administrative access had set up several Linux virtual machines. Further investigation revealed the presence of a backdoor on their infrastructure that was removed in the first week of January.

Once removed the backdoor, the attackers contacted the company and asked for the payment of 50 bitcoin to avoid publicly disclosing the details of the security breach. The attackers also provided proof they’d stolen the source code of the company and revealed they have planted another backdoor in its infrastructure.

The security team involved in the incident response also found the second backdoor and removed it,

“Ubiquiti had negligent logging (no access logging on databases) so it was unable to prove or disprove what they accessed, but the attacker targeted the credentials to the databases, and created Linux instances with networking connectivity to said databases,” continues the source. “Legal overrode the repeated requests to force rotation of all customer credentials, and to revert any device access permission changes within the relevant period.”

On March 31, Ubiquiti published a new statement to its user forum reinforcing the concept that it has identified no evidence that customer information was exposed.

“The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have accessed any customer information. This, along with other evidence, is why we believe that customer data was not the target of, or otherwise accessed in connection with, the incident.” reads the statement

“At this point, we have well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure. As we are cooperating with law enforcement in an ongoing investigation, we cannot comment further.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

14 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

20 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.