A quick browse through the Ubiquiti website will reveal a company that wants you to know its network solutions are the best of the best. But what the company seemingly doesn’t want you to know is that it suffered a security breach far worse than it let on back in January.
A few months back Ubiquiti alerted customers to a security breach at a third party cloud provider by a hacker who gained access to user data. While the firm said it found no evidence that user data had been exposed, it couldn’t be certain.
Now, however, a whistleblower from within the firm has revealed that Ubiquiti may have downplayed the severity of the breach.
“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers,” the whistleblower told Brian Krebs. “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.”
The whistleblower told Krebs that the attacker was able to gain administrative access to Ubiquiti’s servers but things get worse. The whistleblower alleges that the attacker had access to a LastPass account. With the credentials contained within this account the attacker was able to gain root admin access to all Ubiquiti AWS accounts. That means S3 data buckets, application logs, databases, the whole kit and caboodle.
With this access the attacker could access Ubiquiti gear that was set up to make use of the company’s cloud service.
“Ubiquiti had negligent logging (no access logging on databases) so it was unable to prove or disprove what they accessed, but the attacker targeted the credentials to the databases, and created Linux instances with networking connectivity to said databases,” the whistleblower claims.
Now, Ubiquiti has refuted these allegations stating that since disclosing the breach in January, nothing has changed.
“At the outset, please note that nothing has changed with respect to our analysis of customer data and the security of our products since our notification on January 11. In response to this incident, we leveraged external incident response experts to conduct a thorough investigation to ensure the attacker was locked out of our systems,” wrote Ubiquiti.
“These experts identified no evidence that customer information was accessed, or even targeted. The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have accessed any customer information. This, along with other evidence, is why we believe that customer data was not the target of, or otherwise accessed in connection with, the incident,” the firm added.
Ubiquiti says it has evidence that points to “an individual with intricate knowledge of our cloud infrastructure”.
But as the whistleblower made clear, Ubiquiti doesn’t keep access logs so how would it know? Further to that, mention of a “third party cloud provider” has all but disappeared from the firm’s recollection of the breach.
It seems then that Ubiquiti downplayed the severity of this breach and as the whistleblower says, locking accounts and requiring a password reset would have been the best course of action.
This is all very concerning and if you are making use of Ubiquiti products or services it’s vital that you change your passwords and enable multi-factor authentication.
[Image – CC 0 Pixabay]