A new whistleblower report states that the Ubiquiti data breach announced in January was much greater and potentially more damaging than the company reported. The insider claims that Ubiquiti deliberately downplayed the data breach due to stock price concerns and that the incident was ultimately “catastrophically worse than reported”
Ubiquiti offers a variety of IoT devices that rely on the cloud – including systems for corporate customers. In January, the company sent an alert alert that it had discovered “unauthorized access to some of our information technology systems hosted by a third-party cloud provider”.
According to a whistleblower who contacted security expert Brian Krebs, the third-party cloud provider that was not identified in the Ubiquiti statement was actually simply the company’s own databases hosted on Amazon Web Services.
The anonymous whistleblower claims that the statement was written to suggest that the vulnerability was in the third party and that Ubiquiti was impacted by it. Among other things, the whistleblower claims that the hacker (s) were able to access the system by acquiring privileged credentials from an Ubiquiti employee’s LastPass account.
The security breach was discovered, the report says, when company security officials discovered that several Linux virtual machines were created by a user with administrator access. Soon after, says the whistleblower, a back door was found that had been used to access the system; this was supposedly removed in early January.
Among other things, the report states that the attackers sent Ubiquiti proof that they stole the company’s source code and that they wanted 50 Bitcoins to keep the matter a secret. The company reportedly did not provide the rescue or engage with the invaders and later found (and removed) a second back door.