Ubiquiti may have a lot to answer to after recent allegations of their possible downplaying of January’s breach. The allegation involves an attacker gaining access to Ubiquiti’s Amazon Web Services (AWS) account via an employee’s account with root (read/write admin or higher permissions) level access to all of Ubiquiti’s AWS accounts. The whistleblower alleged that the attackers obtained access of the AWS credentials from an Ubiquiti employee’s LastPass account.
Ubiquiti sent out a letter to customers in January notifying them of a potential third-party cloud provider as the source of the breach. Instead, it was Ubiquiti that was the initial vector. This is considered a significant distortion of facts. Adam (the source from the Krebs On Security post) amplified the seriousness of the intrusion stating, “They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration.” The allegations, if true, are very damning as their inaction may have exposed customers cloud-connected devices to remote-access exploitation. Ubiquiti recommended customers reset their passwords, but many would consider that insufficient if the attackers held the customers credentials.
As Ubiquiti’s chose not to log database activities (but why?!?) they could not prove if the attackers had or had not accessed customer credentials. Even more egregious, Adam said, “Legal overrode the repeated requests to force rotation of all customer credentials, and to revert any device access permission changes within the relevant period.”
Any Ubiquiti customers using UniFi Cloud Key for Single Sign-On remote access should consider disabling remote access and resetting credentials if not done so yet. An additional consideration for all users, not just Ubiquiti customers, is to have Multi-Factor Authentication enabled for password managers, or for any account for that matter. If given the choice, choosing an Authenticator application instead of SMS verification is preferred.
In addition to everything mentioned, the attackers installed Linux VMs and multiple backdoors. After the attackers noticed the closing of the first backdoor, they sent a message requesting 50 Bitcoin in exchange for keeping quiet about the breach. It wasn’t paid as far as we know. If all the allegations comes to fruition, or even some of them, let’s hope there is a proper penalty otherwise this behavior will continue to permeate.