Ubiquiti (NYSE: UI), a global IoT device provider, announced on January 11 that it suffered from a data breach that compromised the PII of its customers. The vendor of routers, switches, security cameras, and network video recorders revealed that the breach started in December 2020 and lasted two months. The breach is in the news again after KrebsonSecurity reported on it yesterday for its sizable risk implications.
In a disclosure post on Ubiquiti's community portal, the company stated that compromised data may include names, email addresses, one-way encrypted passwords to customer accounts, addresses, and phone numbers.
The hacker gained access to a Ubiquiti IT employee's LastPass account containing privileged credentials and was able to gain root administrator access to all AWS accounts. Once you have root administrator account access, you can do anything – no privilege escalation is necessary. The compromised resources include S3 data buckets, every application log and database, and every user database credential.
According to an anonymous Ubiquiti security employee, the attackers obtained administrative read/write access to Ubiquiti servers on the AWS cloud. They usurped cryptographic secrets for single sign-on cookies, remote access, and total source code control, and exfiltrated signing keys.
There was no indication that the attackers used any sophisticated tactics. Evidence points to rather basic misconfiguration errors, an all-too-pervasive problem that has led to countless data breaches.
The malicious actor can find the identities that they need to access code, add a backdoor to bypass security measures, and gain access to resources (including encrypted data), where they can wreak more havoc. For example, the bad actor can make changes to the firmware, then push it down to everybody's devices. Worst still, any device that's running the malicious firmware now has a backdoor installed.
Teams can follow a fundamental checklist for security best practices to prevent an even such as the Ubiquiti data breach from happening. For one thing, no identity should use the root administrator account after activation as part of the initial account setup. You must make sure there is no access key tied to it. Always enable MFA everywhere. Enforce Separation of Duties ensuring it takes two people to actually use the root account. It is crucial to set alerts and continuously monitor for whenever someone accesses the root account. The alert is one of the most basic yet essential settings.
Another question arises, was MFA activated in the LastPass account? It should have been.
The anonymous tipster revealed that Ubiquiti didn't have any database access logging. Therefore, it is impossible to tell if who or what might have accessed it, let alone what the attackers accessed.
As a result, Ubiquiti was not aware of any access to user data databases, nor could they deny with certainty that user data was left unexposed. The anonymous whistleblower, however, made it clear that "[the] breach was massive, customer data was at risk, access to customers' devices deployed in corporations and homes around the world was at risk." Security best practice says to turn on the proper access logging, and include secondary logging.
Sonrai Dig enforces critical resource monitoring by enabling teams to establish their security baseline then continuously monitor and instantly detect changes that deviate from the baseline, including:
For example, an identity may have accessed data that it had not accessed in the past. Sonrai Security will fire off alerts of the suspicious behavior as soon as it happened.
Sonrai Security keeps continuous inventory and tips teams off when something – since identities can be nonpeople – creates a suspicious role. A benefit of knowing immediately when an identity gains questionable effective permission to access data is that you can implement preventive remediation before anything wrong can happen.
Schedule a live demo with one of Sonrai Security's identity and data security experts.