An anonymous source claims Ubiquiti suffered a massive incident in which attackers accessed customer data on corporate and home networks around the world.
Ubiquiti is a San Jose, California-based vendor of cloud-enabled Internet of Things (IoT) devices such as routers, network video recorders, and cameras. Tens of millions of its products are used around the world.
A person involved in the breach response spoke to Brian Krebs anonymously and said Ubiquiti downplayed the impact of the attack and that they did this to protect its stock price.
Initially, the company reported a breach and said that the attackers had accessed some of its IT systems hosted by a third-party cloud provider and that they had no indication of unauthorized access to user accounts.
In a public notice on January 11, Ubiquiti said, “We are not currently aware of evidence of access to any databases that host user data, but we cannot be certain that user data has not been exposed.”
Nevertheless, the company encouraged its customers to change the login password and turn on 2FA.
Now, the whistleblower, whom Krebs calls Adam, revealed new disturbing facts about the actual scope of the breach. According to him, the hackers had administrative-level permissions to Ubiquiti’s databases hosted on AWS, including all S3 data buckets, application logs, databases, user credentials, and the details for forging single sign-on cookies.
This would give cybercriminals access to the company’s cloud-based devices dispersed around the world.
In late December, Adam said, Ubiquiti’s security team found out the intruder had set up multiple Linux virtual machines in their systems. And later they found a backdoor and removed it in the first week of January.
The intruder also showed proof that they had exfiltrated Ubiquiti’s source code and asked for 50 bitcoins for not disclosing the leaked data.
Adam also revealed that there was a second backdoor planted. The attacker had offered to tell its location if the company pays. The IT team found this second malware, though, and removed it.
The company proceeded to change all employee credentials to lock out the hacker.
According to Krebs’ source, Ubiquiti did not have logs with access to databases, therefore it could not know what the hacker accessed and what they didn’t.
Adam also claimed the intruder “created Linux instances with networking connectivity to said databases,” so they could have accessed customer systems remotely.
Finally, the source said that the third-party cloud provider claim was fake, an attempt to play down the seriousness of the situtaion.