Ubiquiti cyberattack may be far worse than originally disclosed

The data breach report from Ubiquiti in January is allegedly a cover-up of a massive incident that put at risk customer data and devices deployed on corporate and home networks.

In the short communication, the company said that an attacker had accessed some of its IT systems hosted by a third party cloud provider and that it found no indication of unauthorized activity impacting user accounts.

Despite any evidence of access to any databases with user info, Ubiquiti could not guarantee that user details had not been exposed. Because of this, the company encouraged changing the login password and enabling two-factor authentication.

A deeper intrusion

According to someone involved in the breach response that spoke to Brian Krebs under the condition of anonymity, Ubiquiti greatly downplayed the intrusion to protect its stock price.

Apparently, the company started investigating the incident in December 2020 and the hackers had administrative-level permissions to Ubiquiti’s databases hosted on Amazon Web Services (AWS).

It is alleged that the attacker had root privilege over all Ubiquiti AWS accounts, counting all S3 data buckets, application logs, databases, user credentials, and the secrets to forge single sign-on cookies.

This level of access allows authentication to cloud-based devices, such as the UniFi line of wired/wireless products dispersed across the world.

Ubiquiti noticed in late December multiple Linux virtual machines that the intruder had set up. A closer examination revealed a backdoor on their infrastructure, which the company removed in the first week of January.

It seems that this action triggered a response from the hacker, who asked for 50 bitcoins to keep silent about the breach. According to the report, the intruder also proved that they had exfiltrated source code from Ubiquiti’s systems.

The extortion attempt also came with a promise to reveal where a second backdoor had been planted. The incident response team found this second malware and removed it, though.

After this, the company started to change all employee credentials to make sure that the hacker was locked out of its infrastructure. Next came the alert to customers.

According to Krebs’ source, Ubiquiti did not have access logging for databases, meaning that it could not check what the hacker accessed.

Supposedly, the intruder targeted the credentials to the databases and “created Linux instances with networking connectivity to said databases,” so it is possible that they could access customer systems remotely when Ubiquiti sent out the data breach notification.

Ubiquiti is a highly popular brand with tens of millions of products distributed all over the world. It makes a variety of networking products that range from WiFi devices (high-power access points) to enterprise-grade switches, surveillance, phone, and door access systems.