What's Going on with the Ubiquiti Breach - ThreatWire

Back in January,  Ubiquiti, who manufactures and sells networking equipment, reported to customers that their systems had been compromised by an attacker, but user accounts weren’t targeted or affected.  Now, according to a whistleblower who was involved in the original incident response, Ubiquiti found a backdoor back in December of 2020 that gave the attacker admin access to their AWS accounts and databases. The attacker allegedly was able to obtain access by stealing credentials from an employee's LastPass account. They removed this backdoor and the attacker tried to extort the company by saying they stole source code. Ubiquiti did not pay up, and they found another backdoor and removed that one as well and also forced all employees to change their creds. That was January 11.

The whistleblower also said Ubiquiti allegedly didn’t have a logging system setup so they couldn’t actually know what data an attacker had access to. They claim the breach was actually quite massive and user data was compromised. So who is to be believed in this story?

Well, Ubiquiti has confirmed that it was targeted in the extortion, but they did not confirm that user data was accessed or source code was stolen. The company also stated that third-parties hired for the investigation did not find evidence that user data was targeted or accessed. Ubiquiti is currently working with law enforcement on the attack. But if what the whistleblower said is indeed the case - that they didn’t keep logs - then they wouldn’t be able to prove or disprove that customer data was accessed - so saying they didn’t have evidence that customer data was accessed would be true-- but wouldn’t be the whole story.

With all of this said, many consumers have rightfully complained recently since Ubiquiti is now forcing users to set up cloud accounts when they go through setup, similar to how Windows 10 now requires a Microsoft account (tldr; there’s ways around the windows 10 thing but that's a tangent for another day). Many are concerned that this opens their account up to security risks associated with cloud services.

Even if Ubiquiti customer data wasn’t accessed, it would be smart to remove old profiles and recreate new ones, disassociate profiles from devices, update firmware, reset those passwords, enable MFA, disable any cloud accounts or remote access you don’t really need, all the things.

Ubiquiti: https://www.bleepingcomputer.com/news/security/networking-giant-ubiquiti-alerts-customers-of-potential-data-breach/ https://krebsonsecurity.com/2021/03/whistleblower-ubiquiti-breach-catastrophic/ https://www.theverge.com/2021/3/31/22360409/ubiquiti-networking-data-breach-response-whistleblower-cybersecurity-incident https://community.ui.com/questions/Update-to-January-2021-Account-Notification/3813e6f4-b023-4d62-9e10-1035dc51ad2e https://www.bleepingcomputer.com/news/security/ubiquiti-cyberattack-may-be-far-worse-than-originally-disclosed/ https://arstechnica.com/gadgets/2021/03/ubiquiti-breach-puts-countless-cloud-based-devices-at-risk-of-takeover/