Ubiquiti Hack - What happened?

Ubiquiti, one of the largest suppliers of network hardware suffered a catastrophic hack earlier this year. What do we know?

A Unifi Switch managed by the Unifi Cloud. A Unifi Switch managed by the Unifi Cloud.

On January 11th, the team that manages Unifi SSO announced to account holders via email that they were aware of, “Unauthorized access to certain of our information technology systems hosted by a third party cloud provider.” They went on to state that, “We have no indication that there has been unauthorized activity with respect to any user’s account.” The 3rd party company was not named, and as the email also stated that, “We are not currently aware of evidence of access to any databases that host user data,” most people, after changing their passwords did not think much more about this issue.

On March 30, 2021, that all changed. Security reporter Brian Krebs broke a story that alleged that the hack had been much bigger than first thought externally. Krebs’ story featured information from an insider who blew the whistle on Ubiquiti. The story not surprisingly caused quite a stir.

The post contained concerning details, to say the least. Krebs’ says

According to Adam, the hackers obtained full read/write access to Ubiquiti databases at Amazon Web Services (AWS), which was the alleged “third party” involved in the breach. Ubiquiti’s breach disclosure, he wrote, was “downplayed and purposefully written to imply that a 3rd party cloud vendor was at risk and that Ubiquiti was merely a casualty of that, instead of the target of the attack.”

This is concerning not only because the attack scope was much larger, but because the company was making an effort to cover up its mess.

Krebs’ source says that attackers, using a hacked IT Lastpass account, “gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.

Wow. Access to AWS basically gave the hacker(s) the keys to the kingdom. The source says that attackers demanded 50 Bitcoins in ransom to keep quiet. Ubiquiti did not pay the ransom and was able to find a remove two backdoors left by attackers.

“Ubiquiti had negligent logging (no access logging on databases) so it was unable to prove or disprove what they accessed, but the attacker targeted the credentials to the databases, and created Linux instances with networking connectivity to said databases,"

Ubiquiti still maintains their position that they have no indication of account access. In a forum post responding to the Krebs post, the company states that they still do not have any evidence.

These experts identified no evidence that customer information was accessed, or even targeted. The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have accessed any customer information. This, along with other evidence, is why we believe that customer data was not the target of, or otherwise accessed in connection with, the incident.

Even if we trust this statement that they think that no user credentials were accessed, the truth is that there is no way to really know. Even if no user accounts were accessed, the reputation damage caused is huge. Enterprise hardware and software makers need to have the trust of their clients. Ubiquiti has lost a lot of trust during this event. It would have been much better to make a clear statement at the start of this mess.

The legal consequences may be bad as well. Several legal firms are investigating the issue to see whether Ubiquiti tried to cover up the issue to prevent hits to its stock.

Hopefully, this is the last we hear of this issue. Obviously, if you haven’t changed your Ubiquiti Cloud passwords, you should do so now. The reality of this issue is we don’t know how far the attackers penetrated due to a lack of good logging by Ubiquiti. This is where having good logs really pays off.

Links/Sources:

Here is the full transcript of the email sent out on Jan. 11th.

Dear Customer,


We recently became aware of unauthorized access to certain of our information technology systems hosted by a third party cloud provider. We have no indication that there has been unauthorized activity with respect to any user’s account.

We are not currently aware of evidence of access to any databases that host user data, but we cannot be certain that user data has not been exposed. This data may include your name, email address, and the one-way encrypted password to your account (in technical terms, the passwords are hashed and salted). The data may also include your address and phone number if you have provided that to us.

As a precaution, we encourage you to change your password. We recommend that you also change your password on any website where you use the same user ID or password. Finally, we recommend that you enable two-factor authentication on your Ubiquiti accounts if you have not already done so.

Krebs’ Post:

Whistleblower: Ubiquiti Breach “Catastrophic” – Krebs on Security

Ubiquiti’s response to Krebs

Update to January 2021 Account Notification | Ubiquiti Community

Related Legal Ramifications

SHAREHOLDER ALERT: Ubiquiti, Inc. Investigated for Possible Securities Laws Violations by Block & Leviton LLP; Investors Should Contact the Firm (yahoo.com)

Gavin
Gavin
CompTIA Security+ Certified IT Professional