Ubiquiti Acknowledges Extortion AttemptCompany Called Out by Whistleblower for Attack Response
IoT device manufacturer Ubiquiti revealed in a security notice Wednesday that an attacker had attempted to extort money from the company following a December 2020 cyber incident - a fact not mentioned in the company's Jan. 11 notification of the attack.
Ubiquiti now says the unauthorized access to the company's IT systems resulted in threats by the attacker to post source code and IT credentials allegedly compromised during the incident. The company did not confirm whether the attacker did, in fact, access this information, but maintained its earlier claim that the incident did not reveal customer information.
"The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have accessed any customer information," Ubiquiti says.
Ubiquiti made this revelation in response to a whistleblower telling Krebs on Security that the December cyber incident was much worse than originally reported by the company. Brian Krebs calls the source "Adam" and says he was involved in investigating the attack. According to Krebs, the attacker gained full read/write access to the company's databases.
"Given the reporting by Krebs, there is newfound interest and attention in this matter, and we would like to provide our community with more information," Ubiquiti says.
The company spokesman did not respond to Information Security Media Group's request for further comment.
What Ubiquiti Revealed
Ubiquiti says that the external incident response team it hired to handle the investigation has additional insight into the attack.
"At this point, we have well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure. As we are cooperating with law enforcement in an ongoing investigation, we cannot comment further," Ubiquiti says.
The investigators also solidified the company's original statement, saying client data was not compromised, the company says. "These experts identified no evidence that customer information was accessed, or even targeted."
Ubiquiti reiterated a recommendation it made on Jan. 11 that its customers change their passwords and enable two-factor authentication as a precautionary measure.
PJ Norris, senior systems engineer at Tripwire, notes Ubiquiti should not rely on its customers to take action but should have forced a password reset.
Who Is to Blame?
Krebs on Security also reported that the whistleblower claims that Ubiquiti attempted to place the blame for the attack on AWS.
"According to Adam, the hackers obtained full read/write access to Ubiquiti databases at Amazon Web Services (AWS), which was the alleged 'third party' involved in the breach," Krebs reports. Ubiquiti's breach disclosure, he wrote, was "downplayed and purposefully written to imply that a 3rd party cloud vendor was at risk and that Ubiquiti was merely a casualty of that, instead of the target of the attack."
Norris notes that this is a prime example of an organization and not necessarily the cloud service provider being responsible for the security controls within cloud environments.
"The CSP provides the platform and tools for organizations to secure their environments and should not be held accountable for weakened security. Hardening systems is the best way for organizations to secure their cloud and prevent accidental exposure," he says.
Ubiquiti's initial public report on the attack stated that the company did not believe that the attacker gained access to customer accounts but could not guarantee that was true. It did not mention that, if the attacker did gain access to names, then email addresses and hashed and salted passwords may have been exposed.
"At the outset, please note that nothing has changed with respect to our analysis of customer data and the security of our products since our notification on January 11," Ubiquiti says.