The data breach disclosed by Ubiquiti in January could be just the tip of the iceberg, a deeper incident could have hit the company.
In January, American technology vendor Ubiquiti Networks suffered a data breach, it sent out notification emails to its customers asking them to change their passwords and enable 2FA for their accounts.
Ubiquiti, which makes a range of IoT gear (routers, locks, Web cams, NVRs) & has a cloud solution for managing those, just told customers to reset passwords/enable 2FA after discovering "unauthorized access to certain of our IT systems hosted by a third party cloud provider." pic.twitter.com/O0dmNVruS5
— briankrebs (@briankrebs) January 11, 2021
At the time of the disclosure, the company announced to have discovered unauthorized access to some of its systems managed by a third-party cloud provider.
It also added it was not aware of any access to any databases that were containing user data.
Now new information emerges from the investigation, the situation could be potentially catastrophic according to a source involved in the incident response who spoke on condition of anonymity
The source explained that the story of the breach of a third-party cloud provider was a fabrication to minimize the impact on the company stock price.
“Now a source who participated in the response to that breach alleges Ubiquiti massively downplayed a “catastrophic” incident to minimize the hit to its stock price, and that the third-party cloud provider claim was a fabrication.” states the popular investigation Brian Krebs.
[the data breach was] “downplayed and purposefully written to imply that a 3rd party cloud vendor was at risk and that Ubiquiti was merely a casualty of that, instead of the target of the attack.”
https://twitter.com/briankrebs/status/1376958635113349121
The source also sent a letter to the European Data Protection Supervisor to provide additional details about the incident.
“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers,” the source wrote in a letter sent to the European Data Protection Supervisor. “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.”
According to the source, the company launched an investigation into the incident in December 2020, after the intruders gained full access to Ubiquiti databases at Amazon Web Services (AWS), which was the alleged “third party” involved in the breach.
Finally, the attackers gained root administrator access to all AWS accounts of the vendor, including all S3 data buckets, all databases, all user database credentials, secrets used to forge single sign-on (SSO) cookies, and logs.
The source added that the attackers had access to privileged credentials that were previously stored in the LastPass account of an Ubiquiti IT employee.
In this scenario, attackers were able to remotely access every Ubiquiti cloud-based device used by its customers
The source also revealed that in late December 2020 security experts at Ubiquiti discovered that someone with administrative access had set up several Linux virtual machines. Further investigation revealed the presence of a backdoor on their infrastructure that was removed in the first week of January.
Once removed the backdoor, the attackers contacted the company and asked for the payment of 50 bitcoin to avoid publicly disclosing the details of the security breach. The attackers also provided proof they’d stolen the source code of the company and revealed they have planted another backdoor in its infrastructure.
The security team involved in the incident response also found the second backdoor and removed it,
“Ubiquiti had negligent logging (no access logging on databases) so it was unable to prove or disprove what they accessed, but the attacker targeted the credentials to the databases, and created Linux instances with networking connectivity to said databases,” continues the source. “Legal overrode the repeated requests to force rotation of all customer credentials, and to revert any device access permission changes within the relevant period.”
On March 31, Ubiquiti published a new statement to its user forum reinforcing the concept that it has identified no evidence that customer information was exposed.
“The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have accessed any customer information. This, along with other evidence, is why we believe that customer data was not the target of, or otherwise accessed in connection with, the incident.” reads the statement
“At this point, we have well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure. As we are cooperating with law enforcement in an ongoing investigation, we cannot comment further.”
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine