Threat Watch

Ubiquiti Breach More Serious Than Previously Announced

After previously disclosing limited details about what it described in December as a “third-party data breach,” new details that became public this week show that Ubiquiti customer-owned devices have also been at risk, and Ubiquiti is rushing to deal with what is now considered a catastrophic event. At the start of December 2020, Ubiquiti had started investigating a potential breach to a database hosted on Amazon Web Services. The attackers allegedly had high-level privileges over Ubiquiti’s accounts to access its S3 buckets, application logs, user credentials, and SSO cookies. Using the information that was exposed, the attackers would have access to Ubiquiti customers’ local devices if they had cloud access enabled, including cameras, door access, routers, and managed switches. Based on the reporting, the attackers also have attempted to extort Ubiquiti by demanding 50 Bitcoins (~2.9 Million USD) after a backdoor had been removed, threatening to place another.

ANALYST NOTES

As more is known about the breach, the situation grows more dire for customers who rely on the accessibility and ease of use brought by Ubiquiti’s products. While the status is still being assessed, it is recommended that organizations disable cloud access for any devices that are checking in. While official word from Ubiquiti that this was only an extortion attempt, it is also recommended that all passwords associated be changed and 2FA enabled immediately.

Reference:

https://krebsonsecurity.com/2021/03/whistleblower-ubiquiti-breach-catastrophic/
https://www.bleepingcomputer.com/news/security/ubiquiti-cyberattack-may-be-far-worse-than-originally-disclosed/