Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Ubiquiti. Show all posts

Ubiquiti Shares Fall After Reportedly Downplaying 'Catastrophic' Data Breach


New York City-based IoT device maker Ubiquiti recently disclosed a data breach that was downplayed. After news of the catastrophic data breach, the shares of the company dropped drastically this week. 

In January, Ubiquiti informed customers that unauthorized access to certain IT systems hosted by an unidentified third-party cloud provider had been discovered. The company said at the time that it had found no evidence of user data being compromised, but it could not rule it out so it advised the customers to change their passwords. 

When Ubiquiti disclosed the security breach, it only had a small impact on its stock and the value of its shares has increased tremendously since, from roughly $250 per share on January 12 to $350 per share on March 30. Ubiquiti shares are now down to $290 at the time of publishing, following the news that the breach may have been bigger than the company led customers and investors to believe. 

On Tuesday, March 30, cybersecurity blogger Brian Krebs reported that he discovered from someone involved in the response to the breach that Ubiquiti "massively downplayed" an incident that was actually "catastrophic" in order to reduce the effect on the company's stock market value. 

According to Krebs' source, the intruder obtained access to Ubiquiti's AWS servers and then tried to extort 50 bitcoin (worth approximately $3 million) from the company to keep quiet about the hack. As per the source, "the intruder acquired obtained privileged credentials from the Ubiquiti employee’s LastPass account and “gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies”. The hacker allegedly had access to Ubiquiti cloud-based devices through remote authentication. 

Ubiquiti released a statement on Wednesday in response to Krebs' report, stating that it could not comment further due to an ongoing law enforcement investigation. “In response to this incident, we leveraged external incident response experts to conduct a thorough investigation to ensure the attacker was locked out of our systems,” the company stated. “These experts identified no evidence that customer information was accessed or even targeted. The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have accessed any customer information. This, along with other evidence, is why we believe that customer data was not the target of, or otherwise accessed in connection with, the incident.” 

At least two law firms are investigating whether Ubiquiti violated federal securities laws and are urging the company’s investors to contact them.

Ubiquiti has been Covering up a Data Breach

 

Ubiquiti, an organization whose prosumer-grade routers have gotten synonymous with security and manageability is being blamed for concealing a “catastrophic” security breach — and following 24 hours of silence, the organization has now given a statement that doesn't deny any of the whistle-blower’s claims. 

In January, the creator of routers, Internet-connected cameras, and other networked gadgets, revealed what it said was “unauthorized access to certain of our information technology systems hosted by a third-party cloud provider.” The notification said that, while there was no proof the intruders accessed client information, the organization couldn't preclude the likelihood that they got clients' names, email addresses, cryptographically hashed passwords, addresses, and telephone numbers. Ubiquiti suggested clients to change their passwords and enable two-factor authentication.

 Initially, Ubiquiti emailed its clients about a supposedly minor security breach at a “third-party cloud provider” on January 11th but found out that the cybersecurity news site KrebsOnSecurity is reporting that the breach was far more awful than Ubiquiti let on. A whistle-blower from the organization who spoke to Krebs guaranteed that Ubiquiti itself was breached and that the organization's legal team forestalled efforts to precisely report the dangers to customers. 

The breach comes as Ubiquiti is pushing—if not outright requiring—cloud-based accounts for clients to set up and regulate gadgets running newer firmware renditions. An article says that during the underlying setup of an UniFi Dream Machine (a popular router and home gateway appliance), clients will be incited to sign in to their cloud-based account or, on the off chance that they don't have one, to make an account. 

Brian Krebs of KrebsOnSecurity wrote, "In reality, Adam (the fictitious name that Brian Krebs of KrebsOnSecurity gave the whistleblower) said, the attackers had gained administrative access to Ubiquiti’s servers at Amazon’s cloud service, which secures the underlying server hardware and software but requires the cloud tenant (client) to secure access to any data stored there." 

“They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,” Adam said.

US Based, Ubiquiti Inc. covers up a Catastrophic Data Breach, Claims a Whistle-blower

 

Ubiquiti Inc., a major provider of cloud-enabled Internet of Things (IoT) equipment such as routers, network video recorders, and surveillance cameras, announced on the 11th of January that their customer account information had been compromised due to a breach involving a third-party cloud service provider. According to a whistle-blower involved, in the response to the breach, Ubiquiti significantly downplayed a "catastrophic" incident in order to mitigate the stock price, and the third-party cloud provider assertion was a hoax. 

Ubiquiti, whose consumer-grade routers have now been associated with security and manageability, is accused of concealing a "catastrophic" security breach. The company said that someone gained "unauthorized access" to the company's servers, which were operated by a "third-party cloud provider" and where data for the ui.com web portal, was stored. 

The vendor claimed that the intrusion contained names, email addresses, and likely hashed password credentials, as well as residential addresses and phone numbers of customers. But they did not indicate how many customers were affected. 

Since Ubiquiti reportedly left root administrator logins in a LastPass account, hackers had complete access to the company's AWS servers, and they could have accessed any Ubiquiti networking hardware that customers had installed up to monitor through the company's cloud service. 

When Ubiquiti eventually released a statement, it was far from reassuring — in truth, it was woefully inadequate. The company stated again that there was no proof that any user data had been hacked or stolen. 

However, as the security specialist, Krebs points out, the whistle-blower claimed clearly that the organization does not keep logs on who accessed or did not access the compromised servers, which would serve as evidence. The statement from Ubiquiti also states that the hacker tried to extort money from the company. However, the whistle-blower who "participated" in the security breach investigation told security specialist Brian Krebs a few months later that the event was even worse than it appeared and could be characterized as "catastrophic." The source reported to KrebsOnSecurity that perhaps the third-party cloud provider justification was a "fabrication” and that the security breach was "massively downplayed" in an effort to preserve the company's stock value.

The whistle-blower wrote, "It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers. The breach was massive, customer data was at risk, access to customers' devices deployed in corporations and homes around the world was at risk,” in the letter penned to the European regulators. 

According to Krebs, Ubiquiti IT workers discovered a vulnerability planted by threat actors in late December, which was eliminated in the first week of January. Employee passwords were reportedly rotated until the public was fully informed of the violation when a second vulnerability was found. The cybercriminals approached Ubiquiti and requested 50 Bitcoin (roughly $3 million) in exchange for silence. The seller, on the other hand, remained unresponsive.