The always attentive Brian Krebs at KebsOnSecurity reports via his blog that the violation was far more serious than Ubiquiti has hinted at. According to Krebs, who allegedly had contact with a source very close to the company, it seems that the security incident involved Ubiquiti herself, and that the company’s legal team prevented from giving accurate and timely reporting to customers on possible consequences and risks of the incident.
Unauthorized access to Ubiquiti AWS servers
According to the analysis conducted by Krebs, hackers were able to have full access to Ubiquiti’s AWS servers, apparently protected by administrator credentials that were left in a LastPass account, which put them in the potential position to have access to any network set up with Ubiquiti equipment and configured to be controlled via the cloud service offered by the company.
In the past few hours Ubiquiti has issued a new press release:
“As we informed you on January 11, we have been the victim of a cybersecurity incident which resulted in unauthorized access to our IT systems. In light of Brian Krebs’ analysis, there is renewed attention in this matter and we would like provide our community with more information.
Nothing has changed since our analysis of customer information and the safety of our products since the January 11 notification. In response to this incident, we enlisted the help of external experts to conduct a thorough investigation and ensure that the attacker was excluded from our systems.
The experts did not identify any evidence that customer information was accessed or that it was targeted. The attacker, who unsuccessfully conducted an extortion attempt against the company by threatening the release of stolen source code and specific IT credentials, never claimed to have had access to customer information. This, along with other evidence, are the reasons why we believe customer information was not the target of the breach or otherwise related to it.
At this point we have solid evidence that the perpetrator is an individual with a thorough understanding of our cloud infrastructure. As we are partnering with law enforcement in an ongoing investigation, we cannot comment further.
We said, as a precaution, we invite you to change your password if you have not already done so, even on any other service where you use the same username and password pair. We suggest enabling two-factor authentication on Ubiquiti accounts if not already done “
The statement therefore appears partially retract what was previously stated, and in particular now Ubiquiti admits access to its IT systems. Krebs, however, points out, based on information retrieved from its anonymous source, that the company does not keep logs of access to its servers, which is why it cannot in fact have any evidence of what happened. According to Krebs Ubiquiti’s response was late and insufficient, and the situation as a whole was not properly managed: The company should have immediately ordered the blocking of accounts with a forced password reset.
Get the latest news delivered to your inbox
Follow us on social media networks