Ubiquiti security breach worse than previously disclosed

[zaphod]

Quote

A security professional at Ubiquiti who helped the company respond to the two-month breach beginning in December 2020 contacted KrebsOnSecurity after raising his concerns with both Ubiquiti’s whistleblower hotline and with European data protection authorities. The source — we’ll call him Adam — spoke on condition of anonymity for fear of retribution by Ubiquiti.

“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers,” Adam wrote in a letter to the European Data Protection Supervisor. “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.”

Ubiquiti has not responded to repeated requests for comment.

According to Adam, the hackers obtained full read/write access to Ubiquiti databases at Amazon Web Services (AWS), which was the alleged “third party” involved in the breach. Ubiquiti’s breach disclosure, he wrote, was “downplayed and purposefully written to imply that a 3rd party cloud vendor was at risk and that Ubiquiti was merely a casualty of that, instead of the target of the attack.”

In its Jan. 11 public notice, Ubiquiti said it became aware of “unauthorized access to certain of our information technology systems hosted by a third party cloud provider,” although it declined to name the third party.

In reality, Adam said, the attackers had gained administrative access to Ubiquiti’s servers at Amazon’s cloud service, which secures the underlying server hardware and software but requires the cloud tenant (client) to secure access to any data stored there.

“They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,” Adam said.

 

https://krebsonsecurity.com/2021/03/whistleblower-ubiquiti-breach-catastrophic/

[BraydonH]

So it was just people using AWS that have an issue? Any system with a Cloud Key or Dream Machine wasn't affected?

[msgreenf]

3 minutes ago, BraydonH said:

So it was just people using AWS that have an issue? Any system with a Cloud Key or Dream Machine wasn't affected?

No. All customers were impacted. 

[zaphod]

That's not clear.  I am not sure if I was really affected as I run the controller in a docker under unRAID on my LAN. Maybe it stores credentials,etc in the cloud even if you have a local controller to facilitate remote access.

[msgreenf]

Yes. All creds are in the cloud. 

[DLite]

Other than changing our passwords, are there any other precautionary steps that would be helpful to take?

[ekohn00]

4 minutes ago, DLite said:

Other than changing our passwords, are there any other precautionary steps that would be helpful to take?

turn on 2FA

[DLite]

Just now, ekohn00 said:

turn on 2FA

I had that on.  Do I need to reset it or anything? 

[ekohn00]

Just now, DLite said:

I had that on.  Do I need to reset it or anything? 

just reset your password to be safe.

 

[zaphod]

Where do you turn on 2FA?  Is this in the Controller UI? I tried to go into the Administrator config where you change the password, but I don't see anything.

[ekohn00]

2 minutes ago, zaphod said:

Where do you turn on 2FA?  Is this in the Controller UI? I tried to go into the Administrator config where you change the password, but I don't see anything.

One you log in online, I believe it’s part of your profile.  

[zaphod]

I don't see it as an option but my controller is local in an unRAID docker container so maybe this isn't applicable to me.

[ekohn00]

10 minutes ago, zaphod said:

I don't see it as an option but my controller is local in an unRAID docker container so maybe this isn't applicable to me.

Go here:

https://account.ui.com/security

[blackfiveo1]

This is totally misleading and I agree that they are trying to make it look like an Aws issue not the fact they were careless or ignorant with their security of their credentials. This is 100% on Ubiquiti not AWS. I work in this space and unfortunately something similar happened however my company owned their mistake instead of smoke and mirrors trying to push it off as AWS.

to me this is the same as buying a car with a seatbelt and you are wearing the seatbelt incorrectly, possibly just around your waist but not the shoulder. Then you get in a wreck, get injured and blame the car company for a bad seat belt.

 

very poorly handled by Ubiquiti

[msgreenf]

Sounds like it was a phishing attack that lead to device compromise and remote shell. 

[ekohn00]

44 minutes ago, blackfiveo1 said:

This is totally misleading and I agree that they are trying to make it look like an Aws issue not the fact they were careless or ignorant with their security of their credentials. This is 100% on Ubiquiti not AWS. I work in this space and unfortunately something similar happened however my company owned their mistake instead of smoke and mirrors trying to push it off as AWS.

to me this is the same as buying a car with a seatbelt and you are wearing the seatbelt incorrectly, possibly just around your waist but not the shoulder. Then you get in a wreck, get injured and blame the car company for a bad seat belt.

 

very poorly handled by Ubiquiti

I don't think they blamed AWS. They just stated the servers breached are located on AWS (originally just said 3rd party). It would be stupid to blame AWS for compromised password access.

What they didn't do, is clearly identify affected users and what was affected. ie was it credit card data, was it just my online password, is it my online access to a UDM, etc. And this is where i'd agree they poorly handled the announcement.

[blackfiveo1]

I would be absolutely ashamed to work for this company. if you go to their news on the website no mention of this. How companies try to misdirect and deflect these breaches is mind boggling. Companies should OWN their mistakes. Based on the wording of their release “unauthorized access to certain of our information technology systems hosted by a third party cloud provider,”

This seems intentional wordcrafting to me to cause vagueness and divert responsibility.

 

IMHO, Whether it was in an on-site data center or a cloud. Why does that matter? it was still their responsibility to properly secure their password tokens. They are trying to insinuate that the cloud provider was some how at fault.

 

 

 

[msgreenf]

Exactly. Responsibility is w the app owner. 

[zaphod]

Ubiquiti has been getting hammered in the stock market since this news broke about 24 hours ago.  The stock is down over 20% in the last two days.

[msgreenf]

Just now, zaphod said:

Ubiquiti has been getting hammered in the stock market since this news broke about 24 hours ago.  The stock is down over 20% in the last two days.

doesn't matter - give it 6 months and stock will be at all time high

[eggzlot]

10 minutes ago, msgreenf said:

doesn't matter - give it 6 months and stock will be at all time high

not unless I buy it - it will continue to sink like a rock

[Cyknight]

9 minutes ago, msgreenf said:

doesn't matter - give it 6 months and stock will be at all time high

May not prove to be that simple in this case.

IF they are found to have withheld information (if not right out lied) to some of these privacy/data supervision agencies this could have a very long tail indeed.

Not to mention potential defamation suit by AWS.

 

[zaphod]

I don't disagree with your sentiment that people will forget about this. But they have been doing a good job pissing people off recently with really bad software updates, ads in their web UI and now this.

[ekohn00]

5 hours ago, blackfiveo1 said:

if you go to their news on the website no mention of this.

Not going to downplay a breach. But if you're going to bash someone for this......

https://www.solarwinds.com/

[msgreenf]

but look at Home Depot - others - general speaking the market forgets about a data breach and it's expenses.......even solarwinds is only down 14%