A security professional who participated in Ubiquiti’s last year’s data breach response blew the lid on an alleged coverup plot by the IoT devices manufacturer.
The whistleblower told KrebsOnSecurity journalist Brian Krebs that the company downplayed the “catastrophic” security breach to prevent its stock from taking a hit.
The informer adds that attackers accessed customer authentication keys, and the coverup left customers’ devices and cloud infrastructures at risk of complete takeover. The whistleblower wrote to the European Data Protection Supervisor explaining the extent of the compromise and the alleged cover-up.
The hackers demanded about $2.8 million in Bitcoin to keep the breach private and disclose a second backdoor, which was eventually discovered without paying the ransom.
Ubiquiti allegedly misinformed the public about the source and extent of the data breach
Ubiquiti data breach notification blamed the security incident on an unnamed third-party cloud provider.
The wording of the statement made it appear that the company was a victim of a third-party cloud provider data breach. However, the whistleblower says that Ubiquiti was the target and not a victim.
He says Ubiquiti’s disclosure was “downplayed and purposefully written to imply that a 3rd party cloud vendor was at risk and that Ubiquiti was merely a casualty of that, instead of the target of the attack.”
Hackers gained administrative rights on Ubiquiti Amazon cloud servers
While Amazon secures the cloud infrastructure, it’s the tenant’s responsibility to secure access to the data. The informer says that the hackers gained more access than the company acknowledged.
“They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,” the source told Krebs.
He added that the attackers breached a Ubiquiti’s employee’s LastPass account and gained access to all Ubiquiti AWS accounts, S3 data buckets, application logs, databases, user credentials stored in the databases, and keys for single sign-on cookies. The company had also stored its AWS administrator password in a LastPass account.
LastPass says their service was not breached at any time during the incident that they reached Ubiquiti for any assistance needed. Ubiquiti individual LastPass account was likely breached because of a weak password and lack of two-factor authentication.
Hackers could use the information to authenticate on various Ubiquiti devices worldwide. The company has sold more than 85 million devices, including Ubiquiti networking devices, networked security cameras, and IoT devices.
Ubiquiti legal teams were allegedly silenced and overruled to prevent full disclosure
“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers. The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.”
After Kreb’s reporting, Ubiquiti issued another statement asserting that its previous analysis of the data breach had not changed even after involving third-party investigators.
Ubiquiti disputes that its investigation team discovered no evidence that customer information was accessed or targeted.
“These experts identified no evidence that customer information was accessed or even targeted. The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have accessed any customer information.”
The company says the whistleblower has no evidence that customer data was accessed. However, the investigator says poor security practices prevented the company from knowing the full extent of the breach.
“Ubiquiti had negligent logging (no access logging on databases), so it was unable to prove or disprove what they accessed, but the attacker targeted the credentials to the databases and created Linux instances with networking connectivity to said databases,” he said.
He also pointed out that the company should have invalidated all user credentials immediately after the data breach was discovered.
Ubiquiti, however, acknowledged that the attacker was familiar with its cloud systems but refused to divulge additional information citing an ongoing investigation.
“At this point, we have well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure. As we are cooperating with law enforcement in an ongoing investigation, we cannot comment further.”
The company still advised its customers to change passwords and enable two-factor authentication, including other accounts where the customers recycled their user ID or password.
“Given root-account access to an AWS account, an attacker could dig-in in ways that would be incredibly difficult to evict,” says David “moose” Wolpoff, Co-founder and CTO of Randori. “Given the nature of Ubiquiti’s products and services, it’s very conceivable that an attacker with such privileges could have achieved access to customers’ sensitive data and environments.”
Moose compared the Ubiquiti data breach with the SolarWinds supply chain attack. He says that customers should always expect and prepare for vendor compromise.
“The nature of many of Ubiquiti’s products make it more difficult to detect and respond to a supply-chain initiated compromise, in that networking infrastructure itself might be commonly used in detecting a breach, and as such, it’s likely that most customers assume such a vendor will have made significant investments in their own security.”