• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Ubiquitous for all the Wrong Reasons

March 31, 2021 By Josh Stuifbergen

Ubiquiti may have a lot to answer to after recent allegations of their possible downplaying of January’s breach. The allegation involves an attacker gaining access to Ubiquiti’s Amazon Web Services (AWS) account via an employee’s account with root (read/write admin or higher permissions) level access to all of Ubiquiti’s AWS accounts. The whistleblower alleged that the attackers obtained access of the AWS credentials from an Ubiquiti employee’s LastPass account.

Ubiquiti sent out a letter to customers in January notifying them of a potential third-party cloud provider as the source of the breach. Instead, it was Ubiquiti that was the initial vector. This is considered a significant distortion of facts. Adam (the source from the Krebs On Security post) amplified the seriousness of the intrusion stating, “They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration.” The allegations, if true, are very damning as their inaction may have exposed customers cloud-connected devices to remote-access exploitation. Ubiquiti recommended customers reset their passwords, but many would consider that insufficient if the attackers held the customers credentials.

As Ubiquiti’s chose not to log database activities (but why?!?) they could not prove if the attackers had or had not accessed customer credentials. Even more egregious, Adam said, “Legal overrode the repeated requests to force rotation of all customer credentials, and to revert any device access permission changes within the relevant period.”

Any Ubiquiti customers using UniFi Cloud Key for Single Sign-On remote access should consider disabling remote access and resetting credentials if not done so yet. An additional consideration for all users, not just Ubiquiti customers, is to have Multi-Factor Authentication enabled for password managers, or for any account for that matter. If given the choice, choosing an Authenticator application instead of  SMS verification is preferred.

In addition to everything mentioned, the attackers installed Linux VMs and multiple backdoors. After the attackers noticed the closing of the first backdoor, they sent a message requesting 50 Bitcoin in exchange for keeping quiet about the breach. It wasn’t paid as far as we know. If all the allegations comes to fruition, or even some of them, let’s hope there is a proper penalty otherwise this behavior will continue to permeate.

Share This:

Related

Filed Under: Editorial Articles Tagged With: aws, Breach, ubiquiti

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
  • TikTok is Banned, Kind Of
  • How Not to Update Software

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • How Not to Update Software
  • Naming APTs
  • TikTok is Banned, Kind Of
  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use