A new whistleblower report claims that the Ubiquiti data breach announced back in January was much bigger and potentially more damaging than the company reported. The insider claims that Ubiquiti deliberately downplayed the data breach out of concerns about its stock price and that the incident was ultimately ‘catastrophically worse than reported.’
Ubiquiti offers a variety of Internet of Things devices that depend on the cloud — including systems for enterprise customers. In January, the company sent out an alert warning that it had discovered ‘unauthorized access to certain of our information technology systems hosted by a third party cloud provider.’
According to a whistleblower that reached out to security expert Brian Krebs, the third-party cloud provider that went unnamed in Ubiquiti’s statement was, in fact, simply the company’s own databases hosted on Amazon Web Services.
The anonymous whistleblower alleges that the statement was written in such a way to imply that the vulnerability was on the third party and that Ubiquiti was impacted by that. Among other things, the whistleblower alleges that the hacker(s) were able to target the system by acquiring privileged credentials from a Ubiquiti employee’s LastPass account.
The security breach was discovered, the report claims, when the company’s security workers found that multiple Linux virtual machines had been created by a user who had admin access. Soon after, the whistleblower claims, a backdoor was found that had been used to access the system; this was allegedly removed in early January.
Among other things, the report goes on to claim that the attackers sent Ubiquiti proof that they had stolen the company’s source code and that they wanted 50 Bitcoins to keep the matter a secret. The company reportedly didn’t provide the ransom nor engage with the attackers and later found (and removed) a second backdoor.