Ubiquiti hack more serious than admitted

[German]The hack of US manufacturer Ubiquiti Networks (IoT devices, cameras, etc.) that became known in January 2021 was probably more serious than the company admitted. The attackers are said to have had access to source codes and credentials. Addendum: Statement from the manufacturer added.


Who is Ubiquiti?

Ubiquiti Networks is an American manufacturer that has been selling active network components such as WLAN adapters for PCs since its founding in 2005. In the meantime, the product range has been expanded to include WLAN routers, access points, WLAN antennas and directional antennas, especially for outdoor use. Since 2014, the manufacturer has also offered VoIP phones as well as switches and network cameras for professional and semi-professional use. Ubiquiti's WLAN routers are based on WLAN chips from Atheros and use a Linux-based operating system ("airOS").

The Ubiquiti hack

In January 2021, Ubiquit was the victim of a cyber attack that briefly disrupted their cloud offering for a weekend. Stupid: the vendor enforces a cloud account to manage local device accounts for some products (to be precise: For most products it's possible to avoid the cloud account, but non-experienced customers are lured to such accounts during setup). Customers of the company then received an email informing them of the incident. They were asked to change their passwords for the accesses as a precaution, as it could not be ruled out that the attackers had access to personal credentials.

 Ubiquity victim of hacker attack

I had covered that within my blog post Vendor Ubiquiti hacked, users should change passwords. At that point it sounded not too serious, but I wrote:

So if someone has routers, cameras, doorbells, switches or similar products from this manufacturer in use, they should change the passwords (of the cloud account and possibly the local devices) as a precaution. Furthermore, I recommend thinking about whether a US manufacturer that (virtually) imposes password management for local access via its own cloud offering can be the right partner.

The only reason for using certain products (wireless antennas) from this provider can at most be the possibility mentioned at the beginning to flash your own (nanoStation router) operating system onto the hardware there.


Whistleblower reveals the disaster

I came across the article Whistleblower: Ubiquiti Breach "Catastrophic by Brian Krebs – and I got this information from Vectra AI cybersecurity experts as well. A security expert at Ubiquiti, simply called Adam by Krebs, has now shared details with Krebs as a whistleblower and talks about how company management actually downplayed a "catastrophic" incident to protect their stock prices.

According to whistleblower Adam, "The breach was massive, customer data was compromised, access to customer devices used in businesses and homes around the world was compromised." The insider also reports that the hackers were given full read/write access to Ubiquiti databases on AWS.

""They were able to obtain cryptographic secrets for single sign-on cookies and remote access, full source control content and signing key exfiltration," Adam said. According to the source, the attacker or attackers had access to privileged credentials previously stored in the LastPass account of a Ubiquiti IT employee. Thus, they gained root administrator access to all of Ubiquiti's AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials and the secrets needed to forge single sign-on (SSO) cookies.

Such access could have allowed the intruders to remotely authenticate to countless Ubiquiti cloud-based devices around the world, according to comments on Krebs on Security. According to its website, Ubiquiti has shipped more than 85 million devices that play a key role in network infrastructure in more than 200 countries and territories worldwide.

Intrusion discovered by security team

It probably only came to their attention because Ubiquiti's security team picked up signals in late December 2020 that someone with administrative access had set up several Linux virtual machines that were not logged in. Then they found a backdoor that an intruder had left in the system. When security engineers removed the backdoor account in the first week of January, the attackers sent a message. In it, the attackers demanded 50 bitcoin (about $2.8 million) in exchange for a promise to keep quiet about the intrusion. The attackers also provided evidence that they had stolen Ubiquiti's source code and promised to reveal the location of another backdoor if their ransom demand was met.

Two backdoors discovered

Ubiquiti didn't relent to the hackers, Adam said, and eventually the incident response team found the second backdoor the extortionists had left in the system. The company spent the next few days refreshing everyone's credentials before Ubiquiti began notifying customers that they needed to reset their passwords. Here, Ubiquiti should have immediately reset all customer accounts because, after all, the intruders already had credentials to remotely access customers' IoT systems. Andreas Mueller, Director DACH at IT security provider Vectra AI comments on the new information:

The Ubiquiti data breach whistleblower provides a precise description of the scale and force of the attack. According to the whistleblower, the attacker set up "multiple Linux virtual machines." This is a very unusual attack method, but a very easy way to gain a foothold within an organization. The consequences of this attack are similar to those of the "Sunburst" attack [Orion software]. Once the perpetrator has access to the infrastructure and the network management console, they can do whatever they want.

According to Mueller, attackers are increasingly trying to access vendor cloud services to gain access to a large number of organizations. Mueller expects a sharp increase in these types of attacks as many companies are in the process of or have switched to AWS / Azure / GCP clouds. This attack, according to Mueller, highlights the overall risk of using SaaS offerings and the importance of certifications such as SOC2 Type 2 compliance.

The responsibility for cloud security

Mueller writes: AWS is very clear about the shared responsibility model they provide, he says. However, he says AWS is not responsible for securing access to their service, Ubiquiti is. The lack of responsibility from Ubiquiti and the response so far, according to Mueller, likely calls into question the trust that customers will place in their service.

For example, Ubiquiti still has the problem of no access logs for the data. So there's no way to find out if any accesses were made to customer data. More details about the Ubiquiti case can be read at Brian Krebs.

Ubiquiti confirms attack attempt

In the meantime, probably due to this reporting for the true consequences of the scale, Ubiquiti has issued the following statement (Bleeping Computer picked it up here).

Update to January 2021 Account Notification

As we informed you on January 11, we were the victim of a cybersecurity incident that involved unauthorized access to our IT systems. Given the reporting by Brian Krebs, there is newfound interest and attention in this matter, and we would like to provide our community with more information.

At the outset, please note that nothing has changed with respect to our analysis of customer data and the security of our products since our notification on January 11. In response to this incident, we leveraged external incident response experts to conduct a thorough investigation to ensure the attacker was locked out of our systems.

These experts identified no evidence that customer information was accessed, or even targeted. The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have accessed any customer information. This, along with other evidence, is why we believe that customer data was not the target of, or otherwise accessed in connection with, the incident.

At this point, we have well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure. As we are cooperating with law enforcement in an ongoing investigation, we cannot comment further.

All this said, as a precaution, we still encourage you to change your password if you have not already done so, including on any website where you use the same user ID or password. We also encourage you to enable two-factor authentication on your Ubiquiti accounts if you have not already done so.


Team UI

The key message is, that nothing had changed for customers since the original announcement of the hack. And no evidence had been found that customer information had been accessed. Here one should consider the sentence I quoted above: So Ubiquiti still has the problem of no access logs for the data. In the statement, Ubiquiti did not lie when they wrote "they have no evidence that customer data has been accessed." But they also have no evidence that there were no accesses – or more clearly, they don't know. From this point of view, customer should ask themselves about their trust in this manufacturer.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *