Former Ubiquiti dev charged for being behind the Ubiquity hack

[Yesat]

Summary

 

• Nickolas Sharp was arrested and charged by the DOJ for hacking Ubiquity Network in December
• Sharp worked for Ubiquiti between 2018 and 2021 and was part of the internal team who was charged of responding to the hack
• Sharp used internal AWS and Github credential to access the data behind a VPN, falscifying logs and evidences of the data theft.
• Sharp tried to extort 50 BTC ($2 millions) in January in exchange of the stollen data and details on the vulnerabilities used, which Ubiquiti refused.
• Sharp then went to the press as a whistleblower in March to reveal the extend of the hack after having been interogated by the FBI as his VPN & Paypal account had been shown to be used by the attacker
• The reports by the press lead to Ubiquiti losing over 4 billion in market capitalisation.
• Sharp was fired by Ubiquiti a few days after and is now facing 37 years in prison.

 

Quotes

Quote

"As alleged, Nickolas Sharp exploited his access as a trusted insider to steal gigabytes of confidential data from his employer, then, posing as an anonymous hacker, sent the company a nearly $2 million ransom demand," U.S. Attorney Damian Williams said today.

Quote

Days after the FBI raided his home, investigators said that Sharp continued his streak of bad decisions and posed as a whistleblower and reached out to news outlets to plant damaging stories about Ubiquiti’s catastrophic hack and its aftermath.

My thoughts

It really feels like a story out of a movie. Employee of the company steals information, goes to the company under a false identity to claim money then when the police comes to him tries to go all in and poses as a whistleblower which works.

But also it clears quite a bit of what exactly happened at Ubiquiti around this hack, making them look better than they were back in fall where there answer to the whistleblower claims felt quite weak.

 

Sources

https://www.bleepingcomputer.com/news/security/former-ubiquiti-dev-charged-for-trying-to-extort-his-employer/

https://therecord.media/former-ubiquiti-employee-charged-with-hacking-and-extorting-company/
https://www.justice.gov/usao-sdny/pr/former-employee-technology-company-charged-stealing-confidential-data-and-extorting
 

[Skiiwee29]

If true, this is probably the best outcome from this as it shows it was not an actual breach, just a bad actor thinking he had a foolproof plan to get rich quick. 

[Fasterthannothing]

That dude doesn't sound like the sharpest crayon in the box he thought to use a VPN but decided he would go with surfshark out of all of the available ones and then he didn't even enable a kill switch so it leaked his own IP

 

As a Ubiquiti user though I'm glad it was just some internal person doing this and not an actual hacker that got in. Makes me feel better about their security.

[dilpickle]

5 hours ago, SlidewaysZ said:

 

 

As a Ubiquiti user though I'm glad it was just some internal person doing this and not an actual hacker that got in. Makes me feel better about their security.

Does it tho? Knowing that any employee can go rogue and do this is even scarier in my mind. A good security policy has to protect against internal breaches too. And for a company this big there is no excuse for one employee having this much access to sensitive data.

[justpoet]

The majority of security issues are always from INSIDE a company.  It is good to see him get caught and have to pay...but this is really just another reason to have proper TNO (Trust No One) security in place at every level, from the inside through the outside customer.  Maybe someday we'll get there.

[dalekphalm]

3 hours ago, dilpickle said:

Does it tho? Knowing that any employee can go rogue and do this is even scarier in my mind. A good security policy has to protect against internal breaches too. And for a company this big there is no excuse for one employee having this much access to sensitive data.

The problem is that inevitably, some employee will have access to sensitive data and can leak it.

 

Yes, there might be lessons to learn for Ubiquiti in terms of better internal security, but as an employer, they can never be sure that one of their employees won't just steal data or intentionally allow a breach.

 

For example, in most companies, at least one (if not, multiple) person in IT can likely bring the entire company down, or steal everything, if they wanted to.

 

This definitely reveals new insight into the situation, and Ubiquiti is far less at fault than they were originally portrayed.

 

That doesn't mean that Ubiquiti cannot improve security to try and limit or prevent these types of situations from happening - ideally they would have already implemented some new processes to limit this kind of attack, but you can never fully protect yourself from an inside job.

[Yesat]

17 hours ago, dalekphalm said:

For example, in most companies, at least one (if not, multiple) person in IT can likely bring the entire company down, or steal everything, if they wanted to.

And if it's not an employee you always have a risk that a higher up might sabotage a company for their own profit.

 

Ubiquiti seem to have done a lot of stuff right regarding to their response, but they couldn't control the message of it. Especially after Sharp went out to the press as a whistleblower while under investigation from the FBI.

[StDragon]

On 12/2/2021 at 11:22 AM, dilpickle said:

Does it tho? Knowing that any employee can go rogue and do this is even scarier in my mind. A good security policy has to protect against internal breaches too. And for a company this big there is no excuse for one employee having this much access to sensitive data.

It all comes down to trust, and whom you delegate access to. You give the keys to the kingdom to a few select employees you trust, or spread that out over many more employees with a limited scope of access. But there's always a risk of an insider job. The question comes down to the risk of it occurring, and how bad the fallout is from it.

 

"Quis custodiet ipsos custodes?"

[Kisai]

On 12/2/2021 at 3:25 AM, Yesat said:

 

 

Quotes

My thoughts

It really feels like a story out of a movie. Employee of the company steals information, goes to the company under a false identity to claim money then when the police comes to him tries to go all in and poses as a whistleblower which works.

 

 

Most "hacks" involve insiders.

a) The hacker is an existing employee

b) The hacker is a former employee

c) The hacker is a contract employee that was subcontracted by the employer

d) The hacker is a former employee of a subcontract

e) The hacker socially engineered someone they know who works there (see previous 4 points)

f) The hacker claims to have hacked the site and wants to talk to someone who can pay them to reveal what they did/have, even if they don't have that information, and then once that person's name is revealed, they pretend to be that person to other employees.

g) The hacker phished the customer support/tech support

 

It's rare to have a hack that was just done without some insider being the hacker or being socially engineered to let the hacker in.

 

Usually other styles of hacks involve dumping databases of security-weak products (eg NoSQL databases) or the programming language (eg PHP, Javascript (Node.JS), Python) because of the ol "bobby;drop tables" type of problem.