Ubiquiti Breach Update - Mind Blowing New Info!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

Hello! Thanks for posting on r/Ubiquiti!

This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.

Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit.

If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

πŸ‘οΈŽ︎ 1 πŸ‘€οΈŽ︎ u/AutoModerator πŸ“…οΈŽ︎ Dec 02 2021 πŸ—«︎ replies

I hate that everyone thinks they need these stupid AF YouTube thumbnails like that...

πŸ‘οΈŽ︎ 94 πŸ‘€οΈŽ︎ u/thebotnist πŸ“…οΈŽ︎ Dec 02 2021 πŸ—«︎ replies

Very informative. He explained it very well

πŸ‘οΈŽ︎ 11 πŸ‘€οΈŽ︎ u/squirrellydw πŸ“…οΈŽ︎ Dec 02 2021 πŸ—«︎ replies

A lot of supposed de facto comments made by people in other networking ecosystems about Ubiquiti now seem a little silly, very judgmental and extremely unprofessional. Time always tells.

πŸ‘οΈŽ︎ 8 πŸ‘€οΈŽ︎ u/lepolymathoriginale πŸ“…οΈŽ︎ Dec 02 2021 πŸ—«︎ replies

TLDR: Whistler blower goes to Krebs and gets articles published bad talking UI and that they were breached. Turns out Whistler blower was the extortionist. It was an inside job.

This is why you always stfu when it comes to investigations like this. It can take months to find out what happened and you are always advised by lawyers to stfu. This is a great example of why keep your mouth shut and we shouldn't expect companies to say much about an ongoing investigation. It was several months into an investigation and the dudes house was raided by the FBI a week before he went to Krebs.

Seems like an internet outage gave up the extortionists IP address while he was exfiltrating data.

Also not a good look for Krebs. :(

πŸ‘οΈŽ︎ 2 πŸ‘€οΈŽ︎ u/red_dog007 πŸ“…οΈŽ︎ Dec 03 2021 πŸ—«︎ replies

I feel like I’m watching a dude read an article I already read - does he add more info or have a Scooby-Doo moment that makes it worth watching to the end?

πŸ‘οΈŽ︎ 1 πŸ‘€οΈŽ︎ u/jxa πŸ“…οΈŽ︎ Dec 03 2021 πŸ—«︎ replies

TL:DW?

πŸ‘οΈŽ︎ 1 πŸ‘€οΈŽ︎ u/Ploedman πŸ“…οΈŽ︎ Dec 03 2021 πŸ—«︎ replies
Captions
[Music] welcome to crosstalk solutions my name's chris and holy cow what a roller coaster it has been this evening as we receive some new news about the ubiquity breach that happened about eight months ago so on the screen right here you can see my video from april 1st 2021 this is a day after we received information from a supposed ubiquity whistleblower whistleblower via brian krebs krebsonsecurity.com brian krebs's blog page so i made this video as basically a way to say hey you might have been hacked here's the safe thing to do here's how you reset your credentials here here's how you turn on or reset your multi-factor authentication for ubiquity and then we went into just basically ripping on ubiquity for everything that this whistleblower had said claiming essentially that ubiquity had massively downplayed the scope of the breach and you know that there's a lot more to it that is not made public and thankfully this whistleblower is coming forward to let us all know what happened spoiler alert however the whistleblower was complete bs the whistleblower himself that sent the letter to brian krebs made it all up and made it all up because ubiquity didn't pay his ransom right so he had extorted ubiquity for some money when ubiquity didn't pay up he said well guess what now i'm a whistleblower and i'm going to make up all kinds of stuff about ubiquity in order to malign them publicly which actually worked because their stock price dropped dramatically which we're going to talk about in just a little bit so links to everything down below but before we start really digging into this i want to say publicly that you may you just never know you can't believe everything that you read online i fell for this me personally i fell for this hook line and sinker right because what at the time that this happened ubiquity had been pretty mum about anything they weren't really talking about this breach whatsoever and then this whistleblower comes out and krebs on security is a trusted source in information security so when he publishes an article like this you have to assume that he did his due diligence to at least you know figure out if it was made up or real or if this person it's the whistleblower is an actual ubiquity employee and so by the time it gets published on you know krebs on security you'd think that it's pretty bulletproof right turns out it's not it was completely made up right so apologies to ubiquity i guess for putting out videos like this one where i really ripped into them pretty pretty hard so let's talk about everything that happened so the article that came out today and again links to everything down below by the way for the latest updates make sure you follow crosstalk solutions on twitter at crosstalk sol i'm sure i'll be tweeting about this over the next couple of days and subscribe to crosstalk solutions if you haven't done so already it really really helps the channel and it is absolutely free it's literally the least you can do is subscribe with that subscribe button down below okay so bleepingcomputer.com former ubiquity dev charged for trying to extort his employer nicholas sharp a former employee of networking device maker ubiquity was arrested and charged today with data theft and attempting to extort his employer while posing as a whistleblower and an anonymous hacker as alleged nicholas sharp exploited his access as a trusted insider to steal gigabytes of confidential data from his employer then posing as an anonymous hacker sent the company a nearly two million dollar ransom demand which is basically bitcoin demand at the time it was worth about 1.9 million dollars worth of bitcoin i think i me off top my head i think it was like 50 bitcoin or something like that all right so as further alleged after the fbi searched his home in connection with the theft sharp now posing as an anonymous company whistleblower planted damaging news stories falsely claiming the theft had been by a hacker enabled by a vulnerability in the company's computer systems again totally made up the whistleblower says there's a vulnerability in ubiquiti stuff and that's how the hacker got in we're going to talk about that a little bit more but it was completely made up because he got in just using his own employee credentials okay so exposed by an internet outage according to the indictment we're going to go through the indictment sharp stole gigabytes of confidential data from ubiquiti's aws and github infrastructure using his cloud administrator credentials cloning hundreds of github repositories over ssh throughout this process the defendant tried hiding his home ip address using surf shark's vpn services however his actual location was exposed after a temporary internet outage what does that mean it means he didn't have his vpn kill switch turned on right so i've never heard of surf shark before but there's a thousand different types of vpn proxy services out there the one that i like to use is private internet access private internet access has a vpn kill switch meaning that if you are not connected through their vpn you have no internet connectivity it will not let you connect to the internet unless you are connected through their services right i think it's called internet kill switch or vpn kill switch something like that to hide his malicious activity sharp also altered log retention policies and all other files that would have exposed his identity during the subsequent incident in vedic investigation among other things sharp applied a one-day life cycle retention policy to certain logs on aws which would have the effect of deleting certain evidence of the intruder's activity within one day so he went to the whis he went to brian krebs and he said the reason that ubiquity has no idea who committed this crime who committed this hacking intrusion breach is because they don't keep log files on their database servers right but that's completely made up that's complete bs because in reality he changed the log file retention policy in order to hide his uh activities right so he hid his own ip addresses by deleting logs anything older than one day and then as a whistleblower went to brian krebs and said well they don't even keep logs that's why you know that's why they can't find anyone crazy right this whole thing is absolutely insane after ubiquity disclosed a security incident in january following sharp's data theft while working to assess and the scope and remediate the security breach efforts he also tried extorting the company posing as an anonymous hacker his ransom note demanded almost 2 million in exchange for returning the stolen files and to identify a remaining vulnerability which was bs it was made up the company refused to pay the ransom and instead found and removed a second backdoor from its systems changed all employee credentials and issued the january 11 security breach notification so of course after he didn't pay the ransom he then says well screw you ubiquity i'm gonna go public and make you look really really bad and that's what happened billions of dollars in losses after stock dropped after his extortion attempts failed sharp shared information with the media while pretending to be a whistleblower and accusing the company of downplaying the incident this caused ubiquity's stock price to fall by roughly 20 from 349 dollars per share on march 30th to 290 dollars per share on april first amounting to losses of over 4 billion in market capitalization in one day sharp subsequently re-victimized his employer by causing the publication of misleading news articles about the company's handling of the breach that he had perpetrated which were followed by a significant drop in the company's share price associated with the loss of billions of dollars in market capitalization the company confirmed on april 1st that it was the target of an extortion attempt following a january security breach with no indication that customer accounts were affected after sharp acting as a whistleblower challenged his employer's take on the breach saying the incident's actual impact was massive he also said ubiquity did not have a logging system thus preventing them from checking what data or systems the attacker accessed this lines up with the doj's info on him tampering with the company's logging systems while the doj didn't name sharp's employer in today's press release of the or the indictment all the details perfectly aligned with previous info on the ubiquity breach and information presented in sharp's linkedin account sharp is charged with four counts and is facing a maximum sentence of 37 years in prison if found guilty of course if found guilty on all four counts wow right like what more can you say about that this story is absolutely insane all right so let's go ahead and dig into the actual indictment from the doj okay so here is a pdf copy of the indictment from the united states district court southern district of new york united states of america versus nicholas sharp defended okay so four total counts count one computer fraud and abuse this is the hacking right okay so the grand jury charges number one at all times relevant to this indictment company one was a technology company headquartered in new york new york that's ubiquity at all times relevant to the indictment nicholas sharp the defendant was a senior software engineer at company one responsible for software development and cloud infrastructure security among other things from at least in or about 2020 up to and including enter about 2021 nicholas sharp repeatedly misused administrative access provided to him as an information technology employee to download gigabytes of company one's confidential data during the course of this cyber security incident sharp caused damage to company one's computer systems by altering log retention policies and other files to conceal his unauthorized activity on the network while working with the team remediating the effects of the incident sharp sent a ransom note to company one to ubiquity posing as an anonymous attacker who claimed to have obtained unauthorized access to ubiquity's computer networks the ransom notes sought 50 bitcoin a cryptocurrency which is the equivalent of approximately 1.9 billion dollars at the time in exchange for the return of the stolen data and the identification of an existing backdoor or vulnerability to ubiquiti's computer systems after ubiquity refused the demand sharp published a portion of the stolen files on a publicly accessible online platform sharp subsequently engaged in a media campaign to malign ubiquity's response and disclosures related to the incident while concealing his own role causing company one to lose billions of dollars in market capitalization value okay so number four at all times relevant to this indictment ubiquity used multiple third-party providers to host its data basically saying that they used aws and the aws infrastructure included servers that ran a portion of ubiquiti's operations and hosted a certain ubiquity system code and credentials at times relevant to all times relevant to this indictment ubiquity also subscribed to github developers employed by ubiquity had individualized accounts on github which provided them with varying levels of access to various repositories hosting the company's code and development projects key base is an encrypted social networking service that permits users to among other things send private messages and files directly to other key based users and also to upload files that would publicly that would be publicly available to any key based user a vpn and then it's just saying this is what a vpn is and talking about how he used surf shark surf shark is a company headquartered in the british virgin islands that sells a commercial vpn service okay the cyber security incident here's the detailed breakdown of what actually happened allegedly according to this indictment nicholas sharp the defendant was employed by ubiquity from in or about august 2018 up to and including on or about april 1st 2021 april 1st 2021 by the way the day that i released this video right here including throughout the time period of the incident in or about december 2020 and the ransom demand in january 2021. so when as he's sending the ransom all the way up to where he became a whistleblower he was still working for ubiquity sharp was a senior developer who had access to credentials for ubiquiti's github and aws servers on or about july 7th 2020 nicholas sharp the defendant used his personal paypal account to purchase a subscription to shark vpn at all times relevant to this indictment nicholas sharp the defendant resided as a at a residence in portland oregon why is this gotta happen in my home state right the internet connection from the sharp residence was associated with a specific internet protocol address which we're going to call the sharp ip that's his home ip address not his vpn ip address on or about december 9th 2020 applied for a position at a different company on or about december 10th 2020 at approximately 2 55 a.m and again at 3 16 a.m nicholas sharp the defendant used his own ubiquiti credentials to access a particular key key uh on company one's infrastructure through aws servers the connection was made through the sharp ip so he did not mask his ip address the key access by sharp permitted the user to among other things obtain access to other credentials within company one's infrastructure and to run searches through that infrastructure so basically he connected with his own ip using his own public private key pair his own private key right then it says approximately two minutes later at approximately 3 18 am the attack an attacker connected to the aws infrastructure using a masked ip provided by shark surfsharkvpn the attacker used the same key the same private key accessed by nicholas sharp the defendant two minutes earlier to connect to aws to run the command get caller identity that command returns the username and account information for the aws account for which it is run and can validate that the credential is usable so the guy logged in with his own ip address and his own private key then logged out fired up his vpn and then logged back in with his same exact private key supposedly as the attacker now that's not too bright not too bright mr nicholas sharp on december 21st 2020 at approximately 9 58 p.m nicholas sharp the defendant logged into the company's github uh using his own work credentials he logged in through his sharp ip address his own you know portland oregon based ip address and viewed the names of certain repositories and of data approximately one minute later the defendant used the surfsharkvpn that masked his trueip to log into github through ssh using ubiquiti's high-level github account sharp used the ssh connection to execute a series of commands to clone ubiquity's repository of data to sharp's computer so again he logged in as himself logged out fired up his vpn logged back in and then started cloning all of their github github repositories although throughout the vast majority of the incident nicholas sharp the defendant successfully masked his true ip address through surf shark vpn in one fleeting instance during the exploration of data the sharp ip address was logged masking making an ssh connection to the github server between december 21st at approximately 11 47 pm and december 22nd at approximately 2 16 a.m sharp used the surf shark vpn damascus connection while cloning the repositories no further clone commands were processed until approximately 39 minutes later at approximately 2 55 am when github account 1 received a command to clone another repository from the sharp ip address associated with his residence approximately 9 minutes later the clone commands continued from github once again masked by the surf shark ip so again he didn't have his kill switch turned on and he somehow connected and was doing all this stuff he ran one clone command as himself accidentally and that's how he got caught i mean there's a lot of evidence here but that's basically that was sort of the the the smoking gun evidence right there on december 22nd at approximately 2 16 am the attacker's exfiltration command stopped at around the same time the internet service at the sharp residence went down at approximately 2 54 a.m the internet service at the sharp residence was re-enabled and approximately one minute later the sharp ip was logged unmasked by any vpn using github account 1 to continue sending clone commands over the next several hours nicholas sharp the defendant cloned approximately 155 repository from ubiquity through github using the surf shark vpn to once again mask his ip address the defendant accessed ubiquiti's github or aws data using the surf shark vpn through at least on or about december 26 2020. among other things sharp applied one-day life cycle retention policies to certain logs on aws which would have the effect of deleting certain evidence of the intruder's activity within one day now here's where it kind of starts to get interesting because remember he's still working for ubiquity while all of this is happening in fact he's part of the incident response team trying to figure out what happened the incident was discovered by other employees of ubiquity on or about december 28 2020 at the time nicholas sharp joined a team working to assess the scope and damage caused by the incident and remediate its effects all while concealing his role in committing committing the incident sharp made numerous false statements to company one's employees and agents to evade detection for example upon the team's identification of surf shark vpn as the tool used by the attacker sharp pretended to have never used surf shark vpn himself what surf shark i never heard of such a thing surf shark so weird who's ever heard of surf shark on or about january 7 2021 at approximately 401 am senior employees at ubiquity including an employee located in manhattan new york received a ransom email so this is january 7th right this is maybe a a week or two after the incident they received a ransom email from the perpetrator of the incident the email was sent through an ip address again associated with surf shard vpn the ransom email offered in substance to return the stolen data and not to publish or use it in exchange for the payment of 25 bitcoin i think it was 50 bitcoin before now it's 25. the ransom email also offered to identify a purportedly still unblocked backdoor used by the attacker for the sum of another 25 bitcoin oh i see so he'd return all the data and not make it public for 25 bitcoin and then for another the low low price of another 25 bitcoin he would not uh he would let them know about this vulnerability that he used to get in which i think was completely made up the ransom email also referenced a chat communication on key base sent by the attacker to senior security employee at ubiquity the key based communication contained a copy of the ransom email text as well as uploaded examples of ubiquiti's stolen data ubiquity did not pay the ransom prior to the ransom deadline set forth in the ransom email on or about january 9th at approximately 11 57 p.m three minutes before the ransom deadline was to expire nicholas sharp the defendant sent an employee of ubiquity a message on key base as the anonymous perpetrator the incident the message read quote no bitcoin no talk we done here we done the message contained a link to a public key base folder on which the perpetrator had uploaded certain of ubiquity's stolen proprietary data for public access company one promptly caused key base to remove the folder on or about january 29th 2021 nicholas sharp the defendant wiped and reset the laptop computer he used to perpetrate the incident about a month uh 20 days later after he sent that ransom demand then he wiped his laptop and then on march 24th agents from the fbi executed a search warrant on the sharp residence so at this point they basically already knew that it was him and seized electronic devices belonging to nicholas sharp the defendant in the course of the execution of that search sharp made numerous false statements to the fbi agents you do not lie to the fbi that's another i think that he is also getting in trouble for that including among other things in substance that he was not the perpetrator of the incident and that he had not used surf shark vpn prior to discovery of the incident i didn't use surfsharkvpn to hack ubiquity sir we didn't say anything about surfsharkvpn oh shoot when confronted with records demonstrating that sharp bought the surf shark vpn service in july 2020 approximately six months prior to the incident sharp falsely stated in part and substance that someone else must have used his paypal account to make the purchase several days after the fbi executed a search warrant on the sharp residence and seized certain electronic devices belonging to nicolas sharp the defendant sharp caused false or misleading news stories to be published about the incident and ubiquity's disclosures and response to the incident okay so that is essentially his his letter to uh brian krebs now notice that march 24th uh is when he was raided by the fbi and then the brian krebs article was published on march 30th so just like just almost a week later in particular sharp pretended that ubiquity had been hacked by an unidentified perpetrator who maliciously acquired root administrator access to ubiquity's aws accounts in fact as sharp well knew sharp had taken company one's data using credentials to which he had access in his role as ubiquiti's aws cloud administrator and sharp had used that data in a failed attempt to extort ubiquity for millions of dollars following the publication of these articles between tuesday march 30th and wednesday march 31st ubiquiti stock price fell approximately twenty percent losing over four billion dollars in market capitalization that hurts that is a big ouch as a result of perpetrating incident nicholas sharp the defendant caused far in excess of five thousand dollars in losses to ubiquity which included costs incurred by company one to retain forensics experts uh forensic outside experts to investigate the incident and remediate harm caused by sharp basically saying that you know above five thousand 000 in damage to the company i think is just a different level of crime as something that's going to be below 5 000 so the combination of ubiquity having to hire people to figure out exactly what happened uh as well as the stock hit that they took it caused damages to ubiquity you know apparently well in excess of billions of dollars let alone five thousand dollars okay so that's just count one of four counts all right count two is extortion right so this is him extorting ubiquity for 50 bitcoin from at least enter about 2020 up to at least enter about january 2021 uh the southern district of new york and elsewhere nicholas sharp defend it knowingly and with intent to extort from a person firm association and corporation any money or everything of value transmitted in interstate and foreign commerce a communication containing a threat to injure the property and reputation of the addressee and of another to wit sharp transmitted an interstate email and other electronic messages to ubiquity seeking a ransom of 50 bitcoin count three wire fraud nicholas sharp the defendant willfully and knowingly having devised and intended to devise a scheme to artifice to defraud and for obtaining money and property by means of false and fraudulent pretenses representations and promises transmitted and caused to be transmitted by means of wire radio and television communication and interstate and foreign commerce blah blah blah blah blah blah blah he committed wire fraud allegedly and then count four making false statements this is essentially him lying to the fbi and saying ah i don't know what you're talking about sir shark i've never heard of surf shark vpn but sir we have you purchasing surf shark vpn uh yeah yeah yeah maybe uh no that was something else that wasn't surf shark i have never heard of surf shark so essentially that's basically the whole thing and man what a crazy story i'm interested to see i'm interested to see what brian krebs has to say about this because a lot of this blew up because of him i mean his article you know the whistleblower sent information to brian krebs who then published it and then everyone else followed suit including myself putting out a video about it one day later so now we're putting out another video i want to be the first one to get this video out because i am first to admit when i'm wrong about anything and it looks like in this case the video that i put out in april 1st 2020 while the substance of the video in terms of how to protect your account change your password disable and re-enable multi-factor authentication etc etc that's all valid and good information but all of the rest of it was based on complete bs okay and so you can't always believe everything that you see everything that you read everything that hits you in the face from online sources and social media what do you guys think about this story put your comments down below i'd love to hear your thoughts i'm going to read absolutely every single one of them and hopefully i can get this video out really quickly but if you guys enjoyed this video make sure you give me a thumbs up remember to subscribe to crosstalk solutions if you haven't done so already follow us on twitter at crosstalk sol and we will see you in the next video [Music] you
Info
Channel: Crosstalk Solutions
Views: 86,414
Rating: undefined out of 5
Keywords: Ubiquiti Breach, crosstalk, crosstalk solutions, ubiquiti breach 2021, ubiquiti breach 2020, hack, ubiquiti hack, ubiquity
Id: paLm0tP5GbI
Channel Id: undefined
Length: 26min 15sec (1575 seconds)
Published: Thu Dec 02 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.