zaphod Posted March 30, 2021 Share Posted March 30, 2021 Quote A security professional at Ubiquiti who helped the company respond to the two-month breach beginning in December 2020 contacted KrebsOnSecurity after raising his concerns with both Ubiquiti’s whistleblower hotline and with European data protection authorities. The source — we’ll call him Adam — spoke on condition of anonymity for fear of retribution by Ubiquiti. “It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers,” Adam wrote in a letter to the European Data Protection Supervisor. “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.” Ubiquiti has not responded to repeated requests for comment. According to Adam, the hackers obtained full read/write access to Ubiquiti databases at Amazon Web Services (AWS), which was the alleged “third party” involved in the breach. Ubiquiti’s breach disclosure, he wrote, was “downplayed and purposefully written to imply that a 3rd party cloud vendor was at risk and that Ubiquiti was merely a casualty of that, instead of the target of the attack.” In its Jan. 11 public notice, Ubiquiti said it became aware of “unauthorized access to certain of our information technology systems hosted by a third party cloud provider,” although it declined to name the third party. In reality, Adam said, the attackers had gained administrative access to Ubiquiti’s servers at Amazon’s cloud service, which secures the underlying server hardware and software but requires the cloud tenant (client) to secure access to any data stored there. “They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,” Adam said. https://krebsonsecurity.com/2021/03/whistleblower-ubiquiti-breach-catastrophic/ Quote Link to comment Share on other sites More sharing options...
BraydonH Posted March 30, 2021 Share Posted March 30, 2021 So it was just people using AWS that have an issue? Any system with a Cloud Key or Dream Machine wasn't affected? Quote Link to comment Share on other sites More sharing options...
msgreenf Posted March 30, 2021 Share Posted March 30, 2021 3 minutes ago, BraydonH said: So it was just people using AWS that have an issue? Any system with a Cloud Key or Dream Machine wasn't affected? No. All customers were impacted. Quote Link to comment Share on other sites More sharing options...
zaphod Posted March 30, 2021 Author Share Posted March 30, 2021 That's not clear. I am not sure if I was really affected as I run the controller in a docker under unRAID on my LAN. Maybe it stores credentials,etc in the cloud even if you have a local controller to facilitate remote access. Quote Link to comment Share on other sites More sharing options...
msgreenf Posted March 30, 2021 Share Posted March 30, 2021 Yes. All creds are in the cloud. Quote Link to comment Share on other sites More sharing options...
DLite Posted March 30, 2021 Share Posted March 30, 2021 Other than changing our passwords, are there any other precautionary steps that would be helpful to take? Quote Link to comment Share on other sites More sharing options...
ekohn00 Posted March 30, 2021 Share Posted March 30, 2021 4 minutes ago, DLite said: Other than changing our passwords, are there any other precautionary steps that would be helpful to take? turn on 2FA Quote Link to comment Share on other sites More sharing options...
DLite Posted March 30, 2021 Share Posted March 30, 2021 Just now, ekohn00 said: turn on 2FA I had that on. Do I need to reset it or anything? Quote Link to comment Share on other sites More sharing options...
ekohn00 Posted March 30, 2021 Share Posted March 30, 2021 Just now, DLite said: I had that on. Do I need to reset it or anything? just reset your password to be safe. DLite 1 Quote Link to comment Share on other sites More sharing options...
zaphod Posted March 30, 2021 Author Share Posted March 30, 2021 Where do you turn on 2FA? Is this in the Controller UI? I tried to go into the Administrator config where you change the password, but I don't see anything. Quote Link to comment Share on other sites More sharing options...
ekohn00 Posted March 30, 2021 Share Posted March 30, 2021 2 minutes ago, zaphod said: Where do you turn on 2FA? Is this in the Controller UI? I tried to go into the Administrator config where you change the password, but I don't see anything. One you log in online, I believe it’s part of your profile. Quote Link to comment Share on other sites More sharing options...
zaphod Posted March 30, 2021 Author Share Posted March 30, 2021 I don't see it as an option but my controller is local in an unRAID docker container so maybe this isn't applicable to me. Quote Link to comment Share on other sites More sharing options...
ekohn00 Posted March 30, 2021 Share Posted March 30, 2021 10 minutes ago, zaphod said: I don't see it as an option but my controller is local in an unRAID docker container so maybe this isn't applicable to me. Go here: https://account.ui.com/security Quote Link to comment Share on other sites More sharing options...
blackfiveo1 Posted March 31, 2021 Share Posted March 31, 2021 This is totally misleading and I agree that they are trying to make it look like an Aws issue not the fact they were careless or ignorant with their security of their credentials. This is 100% on Ubiquiti not AWS. I work in this space and unfortunately something similar happened however my company owned their mistake instead of smoke and mirrors trying to push it off as AWS. to me this is the same as buying a car with a seatbelt and you are wearing the seatbelt incorrectly, possibly just around your waist but not the shoulder. Then you get in a wreck, get injured and blame the car company for a bad seat belt. very poorly handled by Ubiquiti msgreenf 1 Quote Link to comment Share on other sites More sharing options...
msgreenf Posted March 31, 2021 Share Posted March 31, 2021 Sounds like it was a phishing attack that lead to device compromise and remote shell. Quote Link to comment Share on other sites More sharing options...
ekohn00 Posted March 31, 2021 Share Posted March 31, 2021 44 minutes ago, blackfiveo1 said: This is totally misleading and I agree that they are trying to make it look like an Aws issue not the fact they were careless or ignorant with their security of their credentials. This is 100% on Ubiquiti not AWS. I work in this space and unfortunately something similar happened however my company owned their mistake instead of smoke and mirrors trying to push it off as AWS. to me this is the same as buying a car with a seatbelt and you are wearing the seatbelt incorrectly, possibly just around your waist but not the shoulder. Then you get in a wreck, get injured and blame the car company for a bad seat belt. very poorly handled by Ubiquiti I don't think they blamed AWS. They just stated the servers breached are located on AWS (originally just said 3rd party). It would be stupid to blame AWS for compromised password access. What they didn't do, is clearly identify affected users and what was affected. ie was it credit card data, was it just my online password, is it my online access to a UDM, etc. And this is where i'd agree they poorly handled the announcement. Quote Link to comment Share on other sites More sharing options...
blackfiveo1 Posted March 31, 2021 Share Posted March 31, 2021 I would be absolutely ashamed to work for this company. if you go to their news on the website no mention of this. How companies try to misdirect and deflect these breaches is mind boggling. Companies should OWN their mistakes. Based on the wording of their release “unauthorized access to certain of our information technology systems hosted by a third party cloud provider,” This seems intentional wordcrafting to me to cause vagueness and divert responsibility. IMHO, Whether it was in an on-site data center or a cloud. Why does that matter? it was still their responsibility to properly secure their password tokens. They are trying to insinuate that the cloud provider was some how at fault. msgreenf 1 Quote Link to comment Share on other sites More sharing options...
msgreenf Posted March 31, 2021 Share Posted March 31, 2021 Exactly. Responsibility is w the app owner. Quote Link to comment Share on other sites More sharing options...
zaphod Posted March 31, 2021 Author Share Posted March 31, 2021 Ubiquiti has been getting hammered in the stock market since this news broke about 24 hours ago. The stock is down over 20% in the last two days. Quote Link to comment Share on other sites More sharing options...
msgreenf Posted March 31, 2021 Share Posted March 31, 2021 Just now, zaphod said: Ubiquiti has been getting hammered in the stock market since this news broke about 24 hours ago. The stock is down over 20% in the last two days. doesn't matter - give it 6 months and stock will be at all time high Quote Link to comment Share on other sites More sharing options...
eggzlot Posted March 31, 2021 Share Posted March 31, 2021 10 minutes ago, msgreenf said: doesn't matter - give it 6 months and stock will be at all time high not unless I buy it - it will continue to sink like a rock Quote Link to comment Share on other sites More sharing options...
Cyknight Posted March 31, 2021 Share Posted March 31, 2021 9 minutes ago, msgreenf said: doesn't matter - give it 6 months and stock will be at all time high May not prove to be that simple in this case. IF they are found to have withheld information (if not right out lied) to some of these privacy/data supervision agencies this could have a very long tail indeed. Not to mention potential defamation suit by AWS. Quote Link to comment Share on other sites More sharing options...
zaphod Posted March 31, 2021 Author Share Posted March 31, 2021 I don't disagree with your sentiment that people will forget about this. But they have been doing a good job pissing people off recently with really bad software updates, ads in their web UI and now this. Quote Link to comment Share on other sites More sharing options...
ekohn00 Posted March 31, 2021 Share Posted March 31, 2021 5 hours ago, blackfiveo1 said: if you go to their news on the website no mention of this. Not going to downplay a breach. But if you're going to bash someone for this...... https://www.solarwinds.com/ Quote Link to comment Share on other sites More sharing options...
msgreenf Posted March 31, 2021 Share Posted March 31, 2021 but look at Home Depot - others - general speaking the market forgets about a data breach and it's expenses.......even solarwinds is only down 14% Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.