Ubiquiti Developer Charged With Extortion, Inflicting 2020 “Breach” – Krebs on Safety
In January 2021, expertise vendor Ubiquiti Inc. [NYSE:UI] disclosed {that a} breach at a 3rd celebration cloud supplier had uncovered buyer account credentials. In March, a Ubiquiti worker warned that the corporate had drastically understated the scope of the incident, and that the third-party cloud supplier declare was a fabrication. On Wednesday, a former Ubiquiti developer was arrested and charged with stealing information and attempting to extort his employer whereas pretending to be a whistleblower.
Federal prosecutors say Nickolas Sharp, a senior developer at Ubiquiti, truly precipitated the “breach” that pressured Ubiquiti to reveal a cybersecurity incident in January. They allege that in late December 2020, Sharp utilized for a job at one other expertise firm, after which abused his privileged entry to Ubiquiti’s techniques at Amazon’s AWS cloud service and the corporate’s GitHub accounts to obtain massive quantities of proprietary information.
Sharp’s indictment doesn’t specify how a lot information he allegedly downloaded, however it says among the downloads took hours, and that he cloned roughly 155 Ubiquiti information repositories through a number of downloads over almost two weeks.
On Dec. 28, different Ubiquiti workers noticed the weird downloads, which had leveraged inside firm credentials and a Surfshark VPN connection to cover the downloader’s true Web handle. Assuming an exterior attacker had breached its safety, Ubiquiti shortly launched an investigation.
However Sharp was a member of the group doing the forensic investigation, the indictment alleges.
“On the time the defendant was a part of a group working to evaluate the scope and injury brought on by the incident and remediate its results, all whereas concealing his function in committing the incident,” wrote prosecutors with the Southern District of New York.
Based on the indictment, on January 7 a senior Ubiquiti worker acquired a ransom e-mail. The message was despatched by means of an IP handle related to the identical Surfshark VPN. The ransom message warned that inside Ubiquiti information had been stolen, and that the knowledge wouldn’t be used or revealed on-line so long as Ubiquiti agreed to pay 25 Bitcoin.
The ransom e-mail additionally provided to establish a purportedly nonetheless unblocked “backdoor” utilized by the attacker for the sum of one other 25 Bitcoin (the whole quantity requested was equal to roughly $1.9 million on the time). Ubiquiti didn’t pay the ransom calls for.
Investigators say they have been in a position to tie the downloads to Sharp and his work-issued laptop computer as a result of his Web connection briefly failed on a number of events whereas he was downloading the Ubiquiti information. These outages have been sufficient to stop Sharp’s Surfshark VPN connection from functioning correctly — thus exposing his Web handle because the supply of the downloads.
When FBI brokers raided Sharp’s residence on Mar. 24, he reportedly maintained his innocence and advised brokers another person will need to have used his Paypal account to buy the Surfshark VPN subscription.
A number of days after the FBI executed its search warrant, Sharp “precipitated false or deceptive information tales to be revealed concerning the incident,” prosecutors say. Among the many claims made in these information tales was that Ubiquiti had uncared for to maintain entry logs that might permit the corporate to grasp the complete scope of the intrusion. In actuality, the indictment alleges, Sharp had shortened to someday the period of time Ubiquiti’s techniques stored sure logs of person exercise in AWS.
“Following the publication of those articles, between Tuesday, March 30, 2021 and Wednesday March 31, [Ubiquiti’s] inventory value fell roughly 20 p.c, dropping over 4 billion {dollars} in market capitalization,” the indictment states.
Sharp faces 4 prison counts, together with wire fraud, deliberately damaging protected computer systems, transmission of interstate communications with intent to extort, and making false statements to the FBI.
Information of Sharp’s arrest was first reported by BleepingComputer, which wrote that whereas the Justice Division didn’t identify Sharp’s employer in its press launch or indictment, all the particulars align with earlier reporting on the Ubiquiti incident and data offered in Sharp’s LinkedIn account. A hyperlink to the indictment is right here (PDF).