The IT Nerd

In January, Ubiquiti Networks which makes enterprise class networking gear sent out a notification to its customers informing them of a security breach and asking all users to change their account passwords and turn on two-factor authentication.

“We recently became aware of unauthorized access to certain of our information technology systems hosted by a third party cloud provider,”

That’s what Ubiquiti said at the time. Now, according to Krebs on Security, a whistleblower “alleges Ubiquiti massively downplayed a ‘catastrophic’ incident to minimize the hit to its stock price, and that the third-party cloud provider claim was a fabrication.” 

A security professional at Ubiquiti who helped the company respond to the two-month breach beginning in December 2020 contacted KrebsOnSecurity after raising his concerns with both Ubiquiti’s whistleblower hotline and with European data protection authorities. The source — we’ll call him Adam — spoke on condition of anonymity for fear of retribution by Ubiquiti.

“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers,” Adam wrote in a letter to the European Data Protection Supervisor. “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.”

Ubiquiti has not responded to repeated requests for comment.

According to Adam, the hackers obtained full read/write access to Ubiquiti databases at Amazon Web Services (AWS), which was the alleged “third party” involved in the breach. Ubiquiti’s breach disclosure, he wrote, was “downplayed and purposefully written to imply that a 3rd party cloud vendor was at risk and that Ubiquiti was merely a casualty of that, instead of the target of the attack.”

And there’s more:

Adam says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.

Such access could have allowed the intruders to remotely authenticate to countless Ubiquiti cloud-based devices around the world. According to its website, Ubiquiti has shipped more than 85 million devices that play a key role in networking infrastructure in over 200 countries and territories worldwide.

If this is true, this is extremely concerning. Especially if your company owns their hardware. Ubiquiti needs to answer this and do so immediately as enterprise users who have their gear and read this may take the nuclear approach and rip their gear out to keep their IT environments secure. What also needs to happen is that there needs to be an investigation to see if Ubiquiti broke the law in this incident. And those at the company who made any decisions to apparently downplay this need to be punished accordingly.

This entry was posted on March 31, 2021 at 8:52 am and is filed under Commentary with tags Ubiquiti. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.