A security professional involved in Ubiquiti’s response to a data breach incident that was discovered in January, alleges that the company swept the actual impact of the “catastrophic†data breach under the carpet to avoid adverse reaction from investors and customers.
IoT and wireless networking devices maker Ubiquiti Networks may have downplayed the true impact of a ransomware attack it suffered in December last year, according to a security professional involved in its response to the incident.
Choosing to remain anonymous to avoid any adverse reaction from his employer, this whistleblower wrote to European data protection authorities and also raised the issue with Ubiquiti’s whistleblower hotline, describing the data security incident suffered by Ubiquiti as “catastrophic.†Finally, he shared the startling information with Brian Krebs of KrebsOnSecurity, refuting the San Jose, CA-based networking company’s letter it sent to customers upon the discovery of the breach in mid-January.
In the letter, Ubiquiti claimed that unknown threat actors gained unauthorized access to specific IT systems hosted by a third-party cloud provider. However, according to the whistleblower, these IT systems were, in fact, Ubiquiti’s databases hosted at Amazon Web Services (AWS), which were breached on an administrative level.
The responsibility of securing customer hardware and software does lie with AWS. However, securing access to the data stored in these servers is the customer’s responsibility- Ubiquiti’s in this case. If the whistleblower’s allegations are true, not only was the company complacent in securing its systems, it also tried to deliberately mislead its customers by downplaying the impact of the breach through a carefully crafted letterOpens a new window aimed at avoiding public attention towards its lax security practices.
The whistleblower’s disclosure to European data protection authorities reads, “Ubiquiti had negligent logging (no access logging on databases), so it was unable to prove or disprove what they accessed, but the attacker targeted the credentials to the databases, and created Linux instances with networking connectivity to said databases. Legal overrode the repeated requests to force rotation of all customer credentials, and to revert any device access permission changes within the relevant period.â€
Alleging that Ubiquiti cunningly shifted the blame to a ‘third party cloud provider’ without naming the culprit, the whistleblower added that Ubiquiti’s letter to customers was “purposefully written to imply that a 3rd party cloud vendor was at risk and that Ubiquiti was merely a casualty of that, instead of the target of the attack.â€
In its letter to customers, the IoT devices maker also avoided mentioning that its security teams removed two backdoors used by the attackers in its network and that attackers demanded 50 bitcoin (approximately $2.8 million) as ransom in exchange for not disclosing the breach publicly.
See Also: Forex Giant FBS Leaked 16B Data Records Via Unsecured Elasticsearch Server
“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers. The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk,†the whistleblower added.
According to him, hackers accessed all S3 data buckets, application logs, all databases, all user database credentials, secrets required to generate single sign-on (SSO) cookies, and stole Ubiquiti’s source codes.
Since I’m getting a heap of questions about this: it’s obviously a *really* bad look and it puts the onus on @UbiquitiOpens a new window to respond. The problem now is the same as I commented back in Jan which is that they’re not providing anywhere near enough information about the incident.
— Troy Hunt (@troyhunt) March 30, 2021Opens a new window
Ubiquiti has not conceded to the whistleblower’s allegations so far. The company, however, released an update in response to Krebs’ report, stating that hackers tried to blackmail it into paying a ransom by threatening to release stolen source code and some IT credentials. The company stresses that at no time were hackers able to access any data associated with its customers.
Opens a new window
Ubiquiti Response
Users of Ubiquiti devices such as network video recorders, routers, switches, and security cameras should immediately change their passwords if they haven’t done so recently. Krebs also advised disabling remote access, deleting all profiles on these devices, updating their latest firmware, and re-creating those profiles with new credentials.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!