In January of this year, Ubiquiti notified its customers that there had been a breach affecting part of their IT stack that was “hosted by a third–party cloud provider”. The notice goes on to say that although there is no evidence of unauthorized access to user’s accounts, user data may have been leaked as part of this attack. This potentially exposed data set includes full names, email addresses, passwords, addresses, and phone numbers, but they did note that the passwords had been hashed and salted to increase security. Ubiquiti closed out their notification by recommending several increased security measures for users to take, including re-setting potentially affected passwords and enabling two-factor authentication (2FA).
In late March, however, Brian Krebs of KrebsOnSecurity.com published an article detailing the account of a whistleblower at Ubiquiti who refuted several of the key statements made by Ubiquiti. The anonymous whistleblower—codenamed ‘Adam’—described the breach as “catastrophically worse than reported”, and that Ubiquiti’s legal team “silenced and overruled efforts to decisively protect customers.”
According to Adam, the attackers had gained privileged access to Ubiquiti’s AWS cloud instance, implanted two backdoors, and obtained Ubiquiti’s internal source code. Additionally, he stated that the attackers leveraged an IT employee’s credentials to gain root access to all of Ubiquiti’s AWS account, which “could have allowed the intruders to remotely authenticate to countless Ubiquiti” devices around the world. Adam went on to say that Ubiquiti did not proceed cautiously enough by only requesting that customers reset their passwords, but instead suggested that it shouldn’t have been optional and that Ubiquiti “should have immediately invalidated all of its customers’ credentials” as a precaution.
One of the two backdoors was discovered and removed after an irregularity was found in their virtual environments. The backdoor’s removal alerted the attackers, who then contacted Ubiquiti and attempted to extort them for $2.8M worth of Bitcoin. They wanted payment in exchange for remaining silent about the breach, and to also disclose the location of the second backdoor. Both Ubiquiti’s and Adam’s statements indicated that the extortion attempt was ignored, and Adam went on to say that the second backdoor was subsequently found by the external Incident Response (IR) team who were hired to assist with the breach.
Ubiquiti did not reply to Krebs’ request for comment, but they did issue a follow-up statement on their support forum. They stated that “nothing has changed” with respect to their breach analysis, and that their IR team had found “no evidence that customer information was accessed, or even targeted”. They did, however, confirm that the extortion attempt happened, noting that the attackers “attempted to extort the company by threatening to release stolen source code and specific IT credentials.”
Krebs then published yet another article to follow-up on Ubiquiti’s response, saying it “actually confirms and reinforces” the allegations made by Adam, and also pointed out that prior to the breach disclosure, Ubiquiti modified existing authentication schema within many of their products, making it “difficult to administer these devices without first authenticating to Ubiquiti’s cloud infrastructure.” He then added that there were “countless” threads on Ubiquiti’s user forums because customers had become “upset over the potential for introducing new security risks.” Then, on January 11th, Ubiquiti “gave weight to that angst” that had built up about security risks by announcing that a breach had occurred.
After recapping the breach and whistleblower’s story, Krebs stated that “Ubiquiti’s statement largely confirmed the reporting here by not disputing any of the facts raised in the piece”. In addition, Adam noted that “Ubiquiti had negligent logging”, and that this was how they were able to state, “there is no evidence that customer information was accessed.” Krebs also said that Adam contacted KrebsOnSecurity.com only after bringing these concerns to the Ubiquiti whistleblower hotline as well as the European Data Protection Supervisor.
While doubts remain about this saga and how it truly unfolded, the recommendations made by Ubiquiti and Adam should still be heeded. If you or your company use Ubiquiti’s gear, be sure to increase your account security by changing your passwords (if you haven’t already) and implementing 2FA. Additionally, Ubiquiti users are encouraged to “change your password on any website where you use the same user ID or password” as a precaution to be being breached.
Ubiquiti has yet to respond to KrebsOnSecurity’s April 4th follow-up article.