[BreachExchange] Whistleblower claims Ubiquiti Networks data breach was ‘catastrophic’

Wed Mar 31 11:01:39 EDT 2021

https://www.zdnet.com/article/whistleblower-claims-ubiquiti-networks-data-breach-was-catastrophic/

A whistleblower involved in the response to a data breach suffered by
Ubiquiti Networks has claimed the incident was downplayed and could be
described as "catastrophic."

On January 11, the networking equipment and Internet of Things (IoT)
devices provider began sending out emails to customers informing them
of a recent security breach.

The company said that someone had obtained "unauthorized access" to
Ubiquiti systems hosted by a "third-party cloud provider," in which
account information was stored for the ui.com web portal, a
customer-facing device management service.

At the time, the vendor said information including names, email
addresses, and salted/hashed password credentials may have been
compromised, alongside home addresses and phone numbers if customers
input this data within the ui.com portal.

Ubiquiti did not reveal how many customers may have been involved.

Customers were asked to change their passwords and to enable
two-factor authentication (2FA).

Several months later, however, a source who "participated" in the
response to the security breach told security expert Brian Krebs that
the incident was far worse than it seemed and could be described as
"catastrophic."

Speaking to KrebsOnSecurity after raising his concerns through both
Ubiquiti's whistleblower line and European data protection
authorities, the source claimed that the third-party cloud provider
explanation was a "fabrication" and the data breach was "massively
downplayed" in an attempt to protect the firm's stock value.

In a letter penned to European regulators, the whistleblower wrote:

"It was catastrophically worse than reported, and legal silenced and
overruled efforts to decisively protect customers. The breach was
massive, customer data was at risk, access to customers' devices
deployed in corporations and homes around the world was at risk."

According to the alleged responder, cybercriminals gained
administrative access to AWS Ubiquiti databases via credentials stored
and stolen from an employee's LastPass account, permitting them to
obtain root admin access to AWS accounts, S3 buckets, application
logs, secrets for SSO cookies, and all databases, including those
containing user credentials.

The source also told Krebs that in late December, Ubiquiti IT staff
found a backdoor planted by the threat actors, which was removed in
the first week of January. A second backdoor was also allegedly
discovered, leading to employee credentials being rotated before the
public was made aware of the breach.

The cyberattackers contacted Ubiquiti and attempted to extort 50
Bitcoin (BTC) -- roughly $3 million -- in return for silence. However,
the vendor did not engage with them.

ZDNet has reached out to Ubiquiti Networks and we will update when we hear back.