The data breach report from Ubiquiti in January is allegedly a cover-up of a massive incident that put at risk customer data and devices deployed on corporate and home networks.
In the short communication, the company said that an attacker had accessed some of its IT systems hosted by a third party cloud provider and that it found no indication of unauthorized activity impacting user accounts.
Despite any evidence of access to any databases with user info, Ubiquiti could not guarantee that user details had not been exposed. Because of this, the company encouraged changing the login password and enabling two-factor authentication.
A deeper intrusion
According to someone involved in the breach response that spoke to Brian Krebs under the condition of anonymity, Ubiquiti greatly downplayed the intrusion to protect its stock price.
Apparently, the company started investigating the incident in December 2020 and the hackers had administrative-level permissions to Ubiquiti’s databases hosted on Amazon Web Services (AWS).
It is alleged that the attacker had root privilege over all Ubiquiti AWS accounts, counting all S3 data buckets, application logs, databases, user credentials, and the secrets to forge single sign-on cookies.
This level of access allows authentication to cloud-based devices, such as the UniFi line of wired/wireless products dispersed across the world.
Ubiquiti noticed in late December multiple Linux virtual machines that the intruder had set up. A closer examination revealed a backdoor on their infrastructure, which the company removed in the first week of January.
It seems that this action triggered a response from the hacker, wh ..
Support the originator by clicking the read the rest link below.
