Ubiquiti Breach Exposed as “Catastrophic” by an Anonymous Whistleblower

Posted on by Dawna M. Roberts in News April 08, 2021

 An anonymous whistleblower exposes Ubiquiti’s hacking incident as catastrophic and reveals that they attempted to cover it up, putting customers at risk.

What Happened?

On January 11, Ubiquiti Inc. reported a data breach and downplayed it, saying it involved a third-party cloud vendor. However, the IoT (internet of things) device vendor failed to disclose that the breach was far worse than they initially reported. The actual breach, which they hinted had exposed customer credentials, was actually much more serious, and experts believe they minimized the notification to protect their stock price.

The whistleblower is actually a security professional who aided Ubiquiti after the data breach in December 2020. He worked on the issue for two months and has first-hand experience and a full understanding of what occurred.

The man contacted KrebsOnSecurity and said, 

“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers. The breach was massive; customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.”

The security professional told KrebsOnSecurity that ‘the hackers obtained full read/write access to Ubiquiti databases at Amazon Web Services (AWS), which was the alleged “third party” involved in the breach. Ubiquiti’s breach disclosure, he wrote, was “downplayed and purposefully written to imply that a 3rd party cloud vendor was at risk and that Ubiquiti was merely a casualty of that, instead of the target of the attack.”’

How Has Ubiquiti Responded?

KrebsOnSecurity contacted Ubiquiti for a comment, and they have not yet responded.

On January 11, Ubiquiti posted a public notice regarding the incident but failed to name the third-party cloud vendor and downplayed the incident considerably. In it, they urged customers to change their passwords and turn on two-factor authentication. In fact, they explicitly deny that they have any knowledge of customer data exposed or stolen.

The whistleblower said that, in truth, the hackers had administrative control of the entire AWS server giving them everything they needed to access all customer and company data stored there. 

KrebsOnSecurity explains

“They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration.”

“The attacker(s) had access to privileged credentials that were previously stored in the  LastPass  account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.”

The Scope of the Damage

Ubiquiti is responsible for more than 85 million IoT devices in 200 countries. With remote access capabilities and customer logins, that scope of risk is definitely catastrophic, as described by the security professional and whistleblower.

In December, the issue was discovered when they found someone using administrator access who had set up several Linux virtual machines, and they found a backdoor left in the system as well. After the security professionals removed it, the hackers sent them a message demanding $2.8 million in Bitcoin to keep quiet about the data breach. They provided proof that they had source code and could do an immense amount of damage with it.

Ubiquiti did not respond to the hackers, and their team of security professionals eventually found a second backdoor in the system. The company changed all internal credentials for employees, but instead of resetting customer accounts and forcing a password change, they simply notified customers to change their password the next time they logged in. That could keep a lot of customers at risk. Their legal department is the one who made the decision not to reset all accounts and to downplay the incident in the press.

Security experts urge all Ubiquiti customers to reset their passwords immediately, delete any profiles on the device, and update the firmware.

About the Author
IDStrong Logo

Related Articles

Instagram Vulnerability Allowed Hackers Access to Control Your Phone

Security experts Check Point Research discovered a critical vulnerability while examining Instagram’s c... Read More

Alien Malware Infects More than 226 Mobile Apps and Steals Bank Data

As reported on September 24, 2020, by ZDNet and ThreatPost, a new strain of malware named “Alien” is ... Read More

Universal Health Systems Hit by Ransomware Attack

Universal Health Systems (UHS), a Fortune 500 company owning more than 400 hospitals across the country, ... Read More

Exchange Server Bug Exposes a Big Risk to Hackers

Months after Microsoft released a patch to fix a serious flaw in MS Exchange Server, more than 61% of the... Read More

Scan Your Records for Breaches, Leaks & Exposures!