A security professional who was involved in Ubiquiti’s response to the data breach last year blew the lid off an alleged cover-up plot by the IoT device maker.
The whistleblower said KrebsOnSecurity reporter Brian Krebs that the company downplayed the “catastrophic” security breach to keep its actions from taking a hit.
The informant adds that attackers gained access to customer authentication keys and the cover-up left customer devices and cloud infrastructure in danger of being taken over completely. The whistleblower wrote to the European Data Protection Supervisor to explain the extent of the compromise and the alleged cover-up.
The hackers demanded around $ 2.8 million in Bitcoin to keep the breach private and disclose a second backdoor, which was ultimately discovered without paying the ransom.
Ubiquiti reportedly misinformed the public about the source and extent of the data breach
Ubiquiti’s data breach notification blamed the security incident on an anonymous third-party cloud provider.
The wording of the statement gave the impression that the company was the victim of a data breach from a third-party cloud provider. However, the whistleblower says Ubiquiti was the target and not a victim.
He says Ubiquiti’s disclosure was “downplayed and purposely written to imply that a third-party cloud provider was in danger and that Ubiquiti was just a victim, instead of being the target of it. ‘attack”.
Hackers Obtained Administration Rights to Ubiquiti Amazon Cloud Servers
While Amazon secures the cloud infrastructure, it is the tenant’s responsibility to secure data access. The informant says the hackers gained more access than the company acknowledged.
“They were able to obtain cryptographic secrets for single sign-on cookies and remote access, full content of source code control and exfiltration of signing keys,” the source told Krebs.
He added that the attackers hacked an Ubiquiti employee’s LastPass account and gained access to all Ubiquiti AWS accounts, S3 data buckets, application logs, databases, information. user identification stored in databases and single sign-on cookie keys. The company had also stored its AWS administrator password in a LastPass account.
LastPass says their service was not disrupted at any point during the incident where they contacted Ubiquiti for any assistance needed. Ubiquiti’s individual LastPass account was likely hacked due to a weak password and lack of two-factor authentication.
Hackers could use the information to authenticate themselves on various Ubiquiti devices around the world. The company has sold more than 85 million devices, including Ubiquiti network devices, network security cameras, and IoT devices.
Ubiquiti legal teams reportedly silenced and canceled to prevent full disclosure
“It was catastrophically worse than reported, and the law silenced and overturned efforts to decisively protect customers. The breach was massive, customer data was at risk, access to customer devices deployed in businesses and homes around the world was at risk.
After Kreb’s report, Ubiquiti released another statement claiming that its previous analysis of the data breach had not changed even after involving third-party investigators.
Ubiquiti disputes that its investigation team found no evidence that customer information was accessed or targeted.
“These experts did not identify any evidence that customer information was accessed or even targeted. The attacker, who unsuccessfully attempted to extort the company by threatening to disclose the stolen source code and specific computer credentials, never claimed to have accessed customer information.
The company says the whistleblower has no evidence that customer data was accessed. However, the investigator says poor security practices prevented the company from knowing the full extent of the breach.
“Ubiquiti had careless logging (no database access logging), so it couldn’t prove or disprove what they accessed, but the attacker targeted the database credentials and created Linux instances with network connectivity to said databases, ”he said.
He also pointed out that the company should have invalidated all user credentials immediately after the data breach was discovered.
Ubiquiti, however, admitted that the attacker was aware of his cloud systems but declined to disclose additional information citing an ongoing investigation.
“At this point, we have well established evidence that the author is an individual with extensive knowledge of our cloud infrastructure. As we are cooperating with law enforcement in an ongoing investigation, we cannot comment further. “
The company has always advised its customers to change passwords and enable two-factor authentication, including other accounts where customers have recycled their username or password.
“So root access to an AWS account, an attacker could dig in a way that would be incredibly difficult to kick out,” said David “moose” Wolpoff, co-founder and CTO of Randori. “Given the nature of Ubiquiti’s products and services, it is quite conceivable that an attacker with such privileges could gain access to sensitive customer data and environments. “
A whistleblower working with the incident response team says Ubiquiti misled the public about the source and extent of the 2020 data breach to protect its inventory. # cybersecurity #respectdata
Moose compared the Ubiquiti data breach with the SolarWinds supply chain attack. He says customers should always expect and be prepared for a compromise with suppliers.
“The nature of many Ubiquiti products makes it more difficult to detect and respond to a supply chain-initiated compromise, as the network infrastructure itself can be commonly used to detect a breach, and as such, it is likely that most customers will assume such a provider will have made significant investments in its own security.