KrebsOnSecurity source claims that the January 2021 hack of major cloud IoT device vendor Ubiquiti was more disastrous than officially reported.
As a reminder, Ubiquiti reported earlier this year that a third-party cloud service provider had been hacked, resulting in theft of customer credentials.However, KrebsOnSecurity source said that Ubiquiti grossly downplayed the “catastrophic” incident in order to minimize the impact on its share price, and the third-party cloud service provider’s claim was fabricated.
The company became aware of “unauthorized access to certain IT systems hosted by a third-party cloud provider,” although the firm’s name was not disclosed, as reported in the January 11 notice. According to the expert, the hackers gained full read and write access to the Ubiquiti databases on Amazon Web Services (AWS), which was supposedly the same “third party”.
In fact, according to the expert, attackers gained administrative access to Ubiquiti servers in Amazon’s cloud service, which secures the underlying server hardware and software.
Such access could allow attackers to remotely log into countless Ubiquiti cloud devices around the world. As the specialist noted, at the end of December 2020, the Ubiquiti security service received a notification about the installation of several unreported Linux-based virtual machines on behalf of a user with administrator rights. Then cybersecurity experts discovered a backdoor that attacker injected into the system.
After removing the backdoor in January 2021, the attackers demanded 50 bitcoins (about $2.8 million) in exchange for a promise to remain silent about the hack. The hackers also provided evidence of the theft of Ubiquiti’s source code and promised to reveal the location of another backdoor if the ransom demand is met.
Ubiquiti did not contact the hackers, the source said, and the incident response team eventually found a second backdoor. The company changed the credentials for all employees and then began warning customers to reset their passwords. The expert believes that in fact the company should have cancelled all of its customers’ credentials and forced a password reset.
Let me remind you about the fact that Hackers injected a backdoor into the main PHP repository.