The Ubiquiti Hack Was More Disastrous Than Reported

by Emma Davis
March 31, 2021
The Ubiquiti hack was disastrous
Written by Emma Davis

KrebsOnSecurity source claims that the January 2021 hack of major cloud IoT device vendor Ubiquiti was more disastrous than officially reported.

As a reminder, Ubiquiti reported earlier this year that a third-party cloud service provider had been hacked, resulting in theft of customer credentials.

However, KrebsOnSecurity source said that Ubiquiti grossly downplayed the “catastrophic” incident in order to minimize the impact on its share price, and the third-party cloud service provider’s claim was fabricated.

It was much worse than reported and it was kept quiet. The hack was serious, customer data was at risk, and access to customer devices deployed in corporations and homes around the world was at risk.said the security specialist who helped Ubiquiti respond to the incident.

The company became aware of “unauthorized access to certain IT systems hosted by a third-party cloud provider,” although the firm’s name was not disclosed, as reported in the January 11 notice. According to the expert, the hackers gained full read and write access to the Ubiquiti databases on Amazon Web Services (AWS), which was supposedly the same “third party”.

In fact, according to the expert, attackers gained administrative access to Ubiquiti servers in Amazon’s cloud service, which secures the underlying server hardware and software.

Attackers gained access to privileged credentials that were previously stored in the Ubiquiti IT employee’s LastPass account and gained superuser administrator access to all Ubiquiti AWS accounts, including all S3 data segments, application logs, databases, database credentials user data and information required to create Single sign-on cookies.said an anonymous specialist.

Such access could allow attackers to remotely log into countless Ubiquiti cloud devices around the world. As the specialist noted, at the end of December 2020, the Ubiquiti security service received a notification about the installation of several unreported Linux-based virtual machines on behalf of a user with administrator rights. Then cybersecurity experts discovered a backdoor that attacker injected into the system.

After removing the backdoor in January 2021, the attackers demanded 50 bitcoins (about $2.8 million) in exchange for a promise to remain silent about the hack. The hackers also provided evidence of the theft of Ubiquiti’s source code and promised to reveal the location of another backdoor if the ransom demand is met.

Ubiquiti did not contact the hackers, the source said, and the incident response team eventually found a second backdoor. The company changed the credentials for all employees and then began warning customers to reset their passwords. The expert believes that in fact the company should have cancelled all of its customers’ credentials and forced a password reset.

Let me remind you about the fact that Hackers injected a backdoor into the main PHP repository.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

View all posts

Leave a Reply

Sending