- HOME
- All Products
- Email breach chronicles: The Ubiquiti exposure - a 2020 network compromise
Email breach chronicles: The Ubiquiti exposure - a 2020 network compromise
- Published : November 6, 2023
- Last Updated : November 9, 2023
- 551 Views
- 10 Min Read
In December 2020, an employee named Nickolas Sharp, working in Ubiquiti Inc., a technology company, orchestrated a hacking and extortion campaign against the company. The former senior developer exploited vulnerabilities within the company's infrastructure and abused his access to the administrative credentials of Ubiquiti's AWS and GitHub servers. He then downloaded confidential data using the Surfshark VPN to hide his IP address and gained unauthorized access to steal sensitive information.
Leveraging this, he attempted to extort the company by demanding a substantial ransom through an email to prevent the disclosure of the stolen data, while at the time, he was also a part of the incident response team at Ubiquiti tackling the data breach. After the company refused to pay, Sharp contacted the media, posing as a whistleblower to spread misinformation about how Ubiquiti handled the security incident. The case shed light on the potential risks posed by insider threats and raised concerns about the effectiveness of Ubiquiti's security practices.
Type of attack
This incident involved different types of attacks by the perpetrator, Nickolas Sharp, such as:
- Cybercrime (downloading gigabytes of confidential data by misusing administrative credentials, altering Ubiquiti's log retention policies and other files to conceal unauthorized activity).
- Ransom email (sending a ransom note through email by posing as an anonymous attacker and threatening to publish stolen data).
- Impersonation (initially being a part of the incident response team of the attack and later claiming to be an anonymous whistleblower within Ubiquiti Networks).
Timeline of events
August, 2018 - April, 2021 | Nickolas Sharp worked as a senior developer at the New York City-based IoT device maker, Ubiquiti Inc. |
July 7, 2020 | Sharp used his personal PayPal account to purchase a 27-month subscription to Surfshark VPN on multiple devices, including his cellphone and laptop. |
December 9, 2020 | Sharp applied for a position at a technology company based in California. |
December 10, 2020 | Sharp, through the masked IP address provided by Surfshark VPN, abused his administrative credentials to access a particular key on Ubiquiti's infrastructure. He used the key to connect to AWS and to run a command "getcalleridentity" which returned the username and account information of that AWS account. |
December 21, 2020 | Sharp logged into Ubiquiti's GitHub infrastructure at his residence through his IP address. He used his work credentials and viewed the names of certain data repositories. One minute later, he used the Surfshark VPN to mask his true IP address and connected to GitHub through SSH by using the company's GitHub account. He executed a series of commands to clone Ubiquiti's data repositories to his computer. |
December 22, 2020 | A temporary internet outage at Sharp's residence disrupted the encrypted tunnel connection. After a few minutes, the internet service at Sharp's residence was restored and briefly exposed his location as he logged in through his IP address. Later, he again used the Surfshark VPN to log in to the GitHub servers. Over the next few days, Sharp cloned approximately 155 repositories from Ubiquiti through the GitHub account using the Surfshark VPN. He applied one-day lifecycle retention policies to certain logs on AWS to clear his traces within one day. |
December 28, 2020 | Ubiquiti employees discovered the incident. Sharp concealed his role in committing the incident, and joined a team to assess the scope and damage caused by the incident and remediate its effects. He made numerous false statements to fellow employees and agents to evade detection. |
January 07, 2021 | The employees received a ransom email from the perpetrator, Sharp. The ransom email, which was sent through an IP address associated with Surfshark VPN, demanded a payment of 25 Bitcoin to return the stolen data and not to publish it. He further demanded another 25 Bitcoin to disclose the security vulnerabilities of the data breach. |
January 09, 2021 | At 11:57 pm, approximately three minutes before the ransom deadline, Sharp sent a message on Keybase to an employee, with a link to a public Keybase folder. The folder contained Ubiquiti's stolen proprietary data for public access. |
January 29, 2021 | Sharp wiped and reset the laptop he used to perpetrate the incident. |
March 04, 2021 | Agents from the FBI executed a search warrant on Sharp's residence and seized certain electronic devices. Sharp made numerous false statements to FBI agents. Several days later, claiming to be an anonymous whistleblower within Ubiquiti Networks, Sharp provided an investigative journalist with false information, claiming that an anonymous hacker had gained root administrator access to Ubiquiti’s AWS accounts. He also revealed that the data breach was "catastrophic" and its impact was "downplayed" by Ubiquiti. |
March 30-31, 2021 | Following the publication of the news, the company's stock prices fell approximately 20%, losing over $4 billion in market capitalization. |
December 2021 | Sharp was arrested and charged with data theft and extortion. Internal investigations revealed that the temporary internet outage at Sharp's residence disrupted the encrypted tunnel connection and briefly exposed his location. The investigation also showed that Sharp used his privileges to exfiltrate customer data from his employer's systems. |
February 2023 | After Sharp repeatedly tried to mislead FBI investigators, the former Ubiquiti employee pleaded guilty to the following crimes:
|
Initial publication
In January 2021, the Ubiquiti team published a notification revealing one of its third-party providers suffered a data breach.
Sharp acted as an anonymous whistleblower within Ubiquiti and provided information to cybersecurity blogger, Brian Krebs, claiming Ubiquiti “massively downplayed” an incident that was actually “catastrophic,” in an effort to minimize the impact on its value on the stock market. This news was later deleted after the actual picture of the incident came to light.
Following this, Ubiquiti released another statement to provide more information but noted that it cannot comment further due to an ongoing law enforcement investigation.
Geographical spread
The attack was aimed only at Ubiquiti, but, fortunately, did not affect customers living across the US. Though the impact of the attack did not directly affect various countries, it had a significant impact on the company's stock price. Following the perpetrator's whistle-blowing episode, Ubiquiti's stock price fell roughly 20% from $349 on March 30 to $290 on April 1, 2021.
Attack vectors
The following were the attack vectors in this incident:
- Surfshark VPN
- Ubiquiti's AWS accounts
- Ubiquiti's GitHub accounts
Using Surfshark VPN, the perpetrator masked his identity to access AWS via a privileged user account, moved across the company’s cloud environment, and proceeded to clone gigabytes of data repositories from GitHub.
Vulnerability exploited
The perpetrator exploited his standing privileges to an unmonitored and uncontrolled AWS account. Lack of session monitoring and authentication methods, like MFA, assisted the user to easily access Ubiquiti's AWS.
Motive
Since the perpetrator had applied for a job to another company prior to the incident, the main motive of the perpetrator could be seen as an insider threat aiming to tarnish the image and reputation of Ubiquiti Inc. The other motive could be to extract money, as he demanded a ransom of 50 Bitcoins from the company.
Forensic analysis
1. Lack of visibility and control:
- Ubiquiti Inc. had a significant gap in visibility and control over their cloud environments.
- This allowed certain users to have perpetual access or standing privileges to critical administrator credentials, posing a vulnerability that was exploited by the intruder.
2. Exploitation of vulnerability:
- The attacker took advantage of the aforementioned vulnerability by leveraging Surfshark VPN to log into Ubiquiti's AWS servers.
- By utilizing Surfshark VPN, the intruder aimed to mask their true identity and evade detection.
3. Data exfiltration via GitHub:
- Once inside Ubiquiti's systems, the perpetrator proceeded to download gigabytes of data from the company's GitHub repositories.
- This unauthorized access and exfiltration compromised sensitive information and intellectual property.
4. Temporary internet outage reveals real IP address:
- During the process of data exfiltration, an unforeseen temporary internet outage occurred.
- This interruption inadvertently revealed the true IP address being used by the perpetrator to access Ubiquiti's systems, instead of the intended Surfshark VPN.
5. Identification of perpetrator:
- The FBI conducted an investigation to trace the revealed IP address.
- The investigation ultimately identified the IP address as belonging to Sharp, linking him to the security breach.
6. Surfshark VPN and PayPal account connection:
- Further investigation by the FBI revealed that the Surfshark VPN subscription used in the breach was purchased with a PayPal account registered to Sharp.
- This provided additional evidence linking Sharp to the illegal activities.
Incident detection
Several days after the perpetrator cloned the GitHub repositories, employees in Ubiquiti noticed the intruder had set up multiple Linux virtual machines with networking connectivity to AWS databases. Upon closer examination, they found a backdoor to their infrastructure that led to the exfiltration of data by the intruder.
Data breach
According to an email sent by Ubiquiti to its customers, the company revealed that the data could contain the customers' names, email addresses, mobile numbers, addresses, and one-way encrypted passwords.
Mitigation
Following the attack, Ubiquiti started investigating and found out the hacker had root privilege over all Ubiquiti AWS accounts, including S3 data buckets, application logs, databases, user credentials, and the secrets to forge single sign-on cookies. Ubiquiti also identified a backdoor in their infrastructure that led to the exfiltration of data by the intruder. They managed to remove that in the subsequent week.
Ubiquiti later issued a notification acknowledging the data breach and advised its users to perform the following actions:
- Change their Ubiquiti account's password and to change the password(s) for any other account where they have used the same credentials.
- Enable two-factor authentication.
Some other actions that users could have performed to mitigate the attack:
- Reset 2FA, if it had already been enabled, by disabling and enabling it again. Generate new backup codes by entering the 2FA token and saving them in a secure location.
- Disable remote access to Ubiquiti's cloud as it gives extra safety to user's data if it gets compromised.
Following the whistleblower's false claims that the hacker had acquired root administrator access to Ubiquiti's accounts, the company shared the actual details of the security breach and provided clear and factual rebuttals to the false claims made by the whistleblower. In March 2022, Ubiquiti filed a lawsuit against security researcher Brian Krebs, alleging defamation for his reporting on their security issues.
Collaborative efforts
Ubiquiti worked with several third-party incident response experts, conducted a thorough investigation, and ensured the attacker was locked out of the systems. The third-party experts revealed that there was no clear evidence of the attacker trying to access or target customer information.
Ubiquiti also collaborated with the FBI to identify the perpetrator behind the breach. FBI agents executed a search warrant at Sharp’s residence in Portland, Oregon, and seized certain electronic devices belonging to him. His purchase of the Surfshark VPN for personal use also came to light.
Legal and regulatory implications
Sharp faced an indictment in federal court in Manhattan with four criminal counts charged against him.
- Computer fraud and abuse - Intentionally damaging protected computers
- Transmission of interstate communications with intent to extort
- Wire fraud
- Making false statements
In January 2023, Sharp pleaded guilty to one count of transmitting a program to a protected computer that intentionally caused damage, one count of wire fraud, and one count of making false statements to the FBI.
In March 2022, Ubiquiti filed a lawsuit against industry blogger Brian Krebs for $425,000 in damages for allegedly falsely accusing the company of “covering up” a cyberattack and misleading the public. Ubiquiti claimed that they promptly undertook the crucial step of notifying its customers about the security breach, emphasizing the importance of implementing additional security measures to safeguard their sensitive information. Furthermore, Ubiquiti diligently fulfilled its obligation to inform the public by including the incident details in its subsequent filing with the Securities and Exchange Commission (SEC). Both parties resolved their dispute outside court in September 2022.
In May 2023, Sharp was sentenced to six years in prison, three years of supervised release, and ordered to pay restitution of $1,590,487.
Lessons learned
Following the data breach caused by the criminal actions of Sharp, there were plenty of lessons to be learned.
- Standing privilege access risks
The data breach of Ubiquiti Inc. was primarily due to the standing privilege access of the company's AWS accounts to Sharp. Having standing privilege access meant Sharp had high levels of access to administrator credentials 24/7/365, which he then misused to move laterally across the network and clone sensitive data from GitHub servers. This standing access increases an organization's attack surface area that can be misused by malicious insiders and other threat actors.
- Least privilege access and its limitations
Least privilege access is a concept that certain privilege access management tools offer, by which only specific permissions are granted to a user to perform a task or job. Though this reduces the privilege access given to users by reducing the attack surface area, it still does not reduce the blast radius once the user is inside.
- Zero standing privileges (ZSP)
Zero standing privileges, a core principle of the zero trust security model, offers a solution to address the limitations of least privilege access. ZSP aims at limiting access to sensitive data by removing all permanent user access permissions through a just-in-time access. With ZSP, user access is temporary and automatically revoked once the assigned task or time limit expires, minimizing the potential for unauthorized access and damage.
In Ubiquiti's case, if the organization had zero standing privileges, Sharp would not have been able to use his employee access because the access tied to his user would be temporary, and consequently wouldn't have access to any other applications or data to cause damage.
Organizations can learn from Ubiquiti's security breach and proactively enforce ZSP to restrict bad actors from accessing critical applications and data.
This article is co-authored by Sandeep Kotla and Vignesh S.
Sandeep is an accomplished inbound marketer at Zoho Corporation, specializing in digital workplace strategies, digital transformation initiatives, and enhancing employee experiences. Previously, he handled analyst relations and corporate marketing for Manage Engine (a division of Zoho Corp) and its suite of IT management products. He currently spends most of his time re-imagining and writing about how work gets done in large organizations, reading numerous newsletters, and Marie Kondo-ing his inbox.
Vignesh works as a Marketing Analyst at Zoho Corporation, specializing in content initiatives and digital workplace strategies. He's a passionate creator with a penchant for marketing and growth. In his free time, you can see him shuffling between books, movies, music, sports, and traveling, not necessarily in the same order.