Security Alert Networking giant Ubiquiti alerts customers of potential data breach

silversurfer

Level 70
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
5,993
Networking device maker Ubiquiti has announced a security incident that may have exposed its customers' data.
Ubiquiti is a very popular networking device manufacturer best known for its Unifi line of wired and wireless network products and a cloud management platform.

Today, Ubiquiti began emailing customers to change their passwords after an attacker hacked their systems hosted at a third-party cloud provider.
"We recently became aware of unauthorized access to certain of our information technology systems hosted by a third party cloud provider. We have no indication that there has been unauthorized activity with respect to any user’s account," Ubiquiti emailed customers.

Ubiquiti states that they are not aware of any customer databases that were illegally accessed but cannot be sure that the attack did not expose customers' data.
"We are not currently aware of evidence of access to any databases that host user data, but we cannot be certain that user data has not been exposed. This data may include your name, email address, and the one-way encrypted password to your account (in technical terms, the passwords are hashed and salted). The data may also include your address and phone number if you have provided that to us," the email continued.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,220
Now a source who participated in the response to that breach alleges Ubiquiti massively downplayed a “catastrophic” incident to minimize the hit to its stock price, and that the third-party cloud provider claim was a fabrication.
“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers,” Adam wrote in a letter to the European Data Protection Supervisor. “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.”
 

MacDefender

Level 14
Verified
Oct 13, 2019
631
If true this is horrifying. They are saying
  1. They lost control of basically all of their AWS services
  2. They lost passwords from an admin’s password manager
  3. It allowed attackers to gain SSO access to anyone’s network. The default config in UI allows cloud based SSO logins and you have to go out of your way to turn it off.
  4. Attackers could’ve had configuration and other secrets for anyone’s network, including WPA keys and SSH sign on for individual network components. Unlike a lot of vendors who make their SSH console interface locked down, in Ubiquiti it’s basically a root Linux shell which allows difficult to detect back doors to be planted on a per device basis
  5. They lost source code and firmware signing keys. This could mean more zero days to come, or malicious firmware could be made that their devices accept as signed by Ubiquiti
The servers had some additional back doors which the admins think they managed to remove

For devices that are meant to be a part of your network security story, this seems bad if the whistleblower is telling the truth.
 

silversurfer

Level 70
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
5,993
"Ubiquiti confirms extortion attempt following security breach"
Networking device maker Ubiquiti has confirmed that it was the target of an extortion attempt following a January security breach, as revealed by a whistleblower earlier this week.

The company, however, didn't confirm the whistleblower's claims that user data was accessed during the incident or that the attackers stole any Ubiquiti source code.

Ubiquiti added that incident response experts hired to investigate the breach didn't find evidence of customer information being targeted during the breach.

"These experts identified no evidence that customer information was accessed, or even targeted," Ubiquiti said in a statement.

"The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have accessed any customer information.

"This, along with other evidence, is why we believe that customer data was not the target of, or otherwise accessed in connection with, the incident."

Ubiquiti is cooperating with law enforcement in an ongoing investigation of the incident, which has revealed that the attacker "is an individual with intricate knowledge" of Ubiquiti's cloud infrastructure.

Although no proof that customer info was accessed, the networking device vendor advises customers to reset passwords and enable two-factor authentication on their accounts.

"All this said, as a precaution, we still encourage you to change your password if you have not already done so, including on any website where you use the same user ID or password," the company said.
 

MacDefender

Level 14
Verified
Oct 13, 2019
631
"Ubiquiti confirms extortion attempt following security breach"

What does everyone else feel about this statement? Saying there was “no evidence”, especially combined with the info that they has no access logging, combined with admitting their source code was stolen….. this doesn’t reflect well on them in my opinion.

it’s pretty insane that enterprise networking equipment, especially cloud managed ones, have no audit trail.
 
Top