Ubiquiti hack may have been an inside job, federal charges suggest

An indictment from the Department of Justice suggests that the Ubiquiti hack reported in January, and subsequent whistleblower claims of a cover-up, were the work of someone who was then an employee of the company. The DOJ alleges that Nickolas Sharp, 36, was arrested on Wednesday on accusations that he used his employee credentials to download confidential data and sent anonymous demands to the company he worked for pretending to be a hacker in an attempt to get a ransom of 50 Bitcoin. You can read the full indictment below.

The indictment doesn’t specifically name Ubiquiti, only referring to a “Company-1.” However, all the details line up. In January, Ubiquiti sent an email to users saying an unauthorized party had accessed its “information technology systems hosted by a third party cloud provider.” In March, someone claiming to be a whistleblower represented the incident as “catastrophic,” alleging that the company couldn’t tell the full extent of the attack because it wasn’t keeping logs and that the attacker had access to Ubiquiti’s Amazon Web Services (AWS) servers.

The indictment says the company is based in New York, which Ubiquiti is, and says that the company’s stock price fell by around 20 percent between March 30th and March 31st after news broke of the incident. According to Yahoo Finance, Ubiquiti’s stock was worth $376.78 on March 29th and fell to $298.30 by March 31st.

Perhaps most notable is the allegation that Sharp posed as a whistleblower to media outlets in late March 2021 — the same time a whistleblower accused Ubiquiti of covering up the data breach’s severity, despite the company’s denial that user data was targeted. We also viewed a LinkedIn profile that appears to belong to Sharp and shows him working for Ubiquiti during the timespan listed in the indictment.

The DOJ alleges that Sharp accessed the company’s Amazon Web Services and Github accounts after applying for a job at another company in December 2020. The indictment says that another employee discovered the breach days after Sharp downloaded “gigabytes” of confidential data and applied AWS policies to limit logging. Sharp was allegedly assigned to the response team meant to assess the incident, and the DOJ says he used this position to try and avoid suspicion.

According to the indictment, Sharp sent an anonymous ransom email that promised not to publish the data and help the company patch a backdoor if he was paid 50 Bitcoin by January 10th, 2021. The DOJ alleges that Sharp released some of the stolen data when the company didn’t pay the ransom.

The DOJ says that it was able to track down Sharp because of one tiny technical glitch — Sharp allegedly used SurfShark VPN to mask his identity while taking data and sending emails, but “in one fleeting instance,” his real IP was identified and logged as connecting to the company’s GitHub. According to the DOJ, this happened when Sharp’s home internet went down, and then reconnected.

According to the indictment, this eventually led to the FBI carrying out a search warrant on Sharp’s house, where he denied using SurfShark and said that someone else used his PayPal account to purchase the subscription. In a final twist, the indictment says that Sharp contacted media outlets posing as a whistleblower after the FBI searched his home and seized electronic devices.

If Sharp is found guilty and the DOJ can prove that the incident unfolded as laid out in the indictment, it’ll certainly cast a new light on the reports of the Ubiquiti hack. The indictment alleges that Sharp started the attack using credentials he had been given to do his job. In March, Ubiquiti held fast to its statement that attackers didn’t access customer data, which doesn’t appear to be contradicted by the information revealed today.

Repost: Original Source and Author Link


Ubiquiti is accused of covering up a ‘catastrophic’ data breach — and it’s not denying it

Ubiquiti, a company whose prosumer-grade routers have become synonymous with security and manageability, is being accused of covering up a “catastrophic” security breach — and after 24 hours of silence, the company has now issued a statement that doesn’t deny any of the whistleblower’s claims.

Originally, Ubiquiti emailed its customers about a supposedly minor security breach at a “third party cloud provider” on January 11th, but noted cybersecurity news site KrebsOnSecurity is reporting that the breach was actually far worse than Ubiquiti let on. A whistleblower from the company who spoke to Krebs claimed that Ubiquiti itself was breached, and that the company’s legal team prevented efforts to accurately report the dangers to customers.

It’s worth reading Krebs’ report to see the full allegations, but the summary is that hackers got full access to the company’s AWS servers — since Ubiquiti allegedly left root administrator logins in an LastPass account — and they could have been able to access any Ubiquiti networking gear that customers had set up to control via the company’s cloud service (now seemingly required on some of the company’s new hardware).

“They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,” the source told Krebs.

When Ubiquiti finally issued a statement this evening, it wasn’t a reassuring one — it’s wildly insufficient. The company reiterated its point that it had no evidence to indicate that any user data had been accessed or stolen. But as Krebs points out, the whistleblower explicitly stated that the company doesn’t keep logs, which would act as that evidence, on who did or didn’t access the hacked servers. Ubiquiti’s statement also confirms that the hacker did try to extort it for money, but doesn’t address the allegations of a cover up. You can read the full statement below.

As we informed you on January 11, we were the victim of a cybersecurity incident that involved unauthorized access to our IT systems. Given the reporting by Brian Krebs, there is newfound interest and attention in this matter, and we would like to provide our community with more information.

At the outset, please note that nothing has changed with respect to our analysis of customer data and the security of our products since our notification on January 11. In response to this incident, we leveraged external incident response experts to conduct a thorough investigation to ensure the attacker was locked out of our systems.

These experts identified no evidence that customer information was accessed, or even targeted. The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have accessed any customer information. This, along with other evidence, is why we believe that customer data was not the target of, or otherwise accessed in connection with, the incident.

At this point, we have well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure. As we are cooperating with law enforcement in an ongoing investigation, we cannot comment further.
All this said, as a precaution, we still encourage you to change your password if you have not already done so, including on any website where you use the same user ID or password. We also encourage you to enable two-factor authentication on your Ubiquiti accounts if you have not already done so.

Team UI

The other thing you’ll notice is that Ubiquiti is no longer pinning this on a “third party cloud provider.” The company admits that its own IT systems were accessed. But it doesn’t address much else, and the fact that the statement confirms some of what the whistleblower said while leaving the most worrying parts (e.g., the alleged cover-up, lack of logs, poor security practices, etc.) unaddressed makes me uncomfortable to be a Ubiquiti owner.

The company’s networking gear is (or was) trusted by many techies, myself included, because it promised full control over your home or small business network, without the fears of cloud-based solutions.

Throughout this process, Ubiquiti has failed to communicate properly with its customers. The fact that it’s not denying the allegations, and indicates that they could be true, suggests that the original email was, at the very least, an insufficient warning. It encouraged users to change their passwords — according to Krebs, a more appropriate response would be immediately locking all accounts and requiring a password reset. Even today, the company is simply encouraging users to change their passwords and enable two-factor authentication.

Repost: Original Source and Author Link


Ubiquiti, maker of prosumer routers and access points, has had a data breach

Ubiquiti, the company I bought networking gear from because I wanted Wi-Fi that’s totally under my control, now tells me something may not have been under my control after all: my basic account information. According to an email it’s sending out to users today, a “third party cloud provider” was accessed by an unauthorized user, and that provider might possibly have some of our data.

While the company says it isn’t hasn’t found any evidence that our user data has been accessed, it also “cannot be certain that user data has not been exposed”. The potential data at risk will be familiar if you’ve received these kinds of emails before: names, emails, phone numbers, addresses, and (encrypted, hopefully unreadable) passwords. You’ll want to change your password now.

It doesn’t sound like that bad a breach as breaches go, but it’s annoying news to hear from a company that prides itself on giving users control. If I had wanted my data on someone else’s server, I might have picked a router that gave me some benefit for it, like plug-and-play setup. The database of customer info, it seems, is hard to get away from.

The full email text, which can also be viewed on the Ubiquiti forums, is below:

We recently became aware of unauthorized access to certain of our information technology systems hosted by a third party cloud provider. We have no indication that there has been unauthorized activity with respect to any user’s account.

We are not currently aware of evidence of access to any databases that host user data, but we cannot be certain that user data has not been exposed. This data may include your name, email address, and the one-way encrypted password to your account (in technical terms, the passwords are hashed and salted). The data may also include your address and phone number if you have provided that to us.

As a precaution, we encourage you to change your password. We recommend that you also change your password on any website where you use the same user ID or password. Finally, we recommend that you enable two-factor authentication on your Ubiquiti accounts if you have not already done so.

We apologize for, and deeply regret, any inconvenience this may cause you. We take the security of your information very seriously and appreciate your continued trust.

Thank you,
Ubiquiti Team

Source link