Skip to product menu
close
  • Recent Launches
    Press Space or Enter to display list of options
EXPLORE ALL PRODUCTS

Recent Launches

New

Payroll software with automated tax payments and filing.

Try now
New

Robotic process automation software to automate high-volume, rule-based tasks.

Try for free
New

Low-code IoT platform and solutions for connected businesses.

Try now
New

Business formation service to launch and grow your businesses.

Try now
New

Privacy-friendly application analytics solution.

Try for free

Sales

 
CRM

Comprehensive CRM platform for customer-facing teams.

CRM
 
Bigin

Simple CRM for small businesses moving from spreadsheets.

Bigin
 
Forms

Build online forms for every business need.

Forms
 
SalesIQ

Live chat app to engage and convert website visitors.

SalesIQ
 
Bookings

Appointment scheduling app for consultations with customers.

Bookings
 
Sign

Digital signature app for businesses.

Sign
 
RouteIQ

Comprehensive sales map visualization and optimal route planning solution.

RouteIQ
 
Thrive

Complete loyalty and affiliate management platform.

Thrive
 
Voice

Cloud Contact Center Software for businesses.

Voice
 
Suites
CRM Plus

Unified platform to deliver top-notch customer experience.

CRM Plus

Marketing

 
Social

All-in-one social media management software.

Social
 
Campaigns

Create, send, and track targeted email campaigns that drive sales.

Campaigns
 
Forms

Build online forms for every business need.

Forms
 
Survey

Design surveys to reach and interact with your audience.

Survey
 
Sites

Online website builder with extensive customisation options.

Sites
 
PageSense

Website conversion optimization and personalisation platform.

PageSense
 
Backstage

End-to-end event management software.

Backstage
 
Webinar

Webinar platform for webcasting online webinars.

Webinar
 
Marketing Automation

All-in-one marketing automation software.

Marketing Automation
 
LandingPage

Smart landing page builder to increase conversion rates

LandingPage
 
Publish

Manage all your local business listings on a single platform.

Publish
 
SalesIQ

Live chat app to engage and convert website visitors.

SalesIQ
 
Sign

Digital signature app for businesses.

Sign
 
Thrive

Complete loyalty and affiliate management platform.

Thrive
 
Voice

Cloud Contact Center Software for businesses.

Voice
 
NEW
LeadChain

Sync, manage, and convert leads across channels seamlessly.

LeadChain
 
NEW
CommunitySpaces

Online community platform for individuals and businesses to grow their network and brand.

CommunitySpaces
 
Suites
Marketing Plus

Unified marketing platform for marketing teams.

Marketing Plus

Commerce and POS

 
Commerce

eCommerce platform to manage and market your online store.

Commerce

Service

 
Desk

Helpdesk software to deliver great customer support.

Desk
 
Assist

Remote support and unattended remote access software.

Assist
 
Lens

Interactive remote assistance software with augmented reality.

Lens
 
FSM

End-to-end field service management platform for service businesses.

FSM
 
SalesIQ

Live chat app to engage and convert website visitors.

SalesIQ
 
Voice

Cloud Contact Center Software for businesses.

Voice
 
NEW
Solo

The all-in-one toolkit for solopreneurs.

Solo
 
Bookings

Appointment scheduling app for consultations with customers.

Bookings
 
Suites
Service Plus

Unified platform for customer service and support teams.

Service Plus

Finance

 
Books

Powerful accounting platform for growing businesses.

Books
 
FREE
Invoice

100% Free invoicing solution.

Invoice
 
Expense

Effortless expense reporting platform.

Expense
 
Inventory

Powerful stock management and inventory control software.

Inventory
 
Billing

End-to-end billing solution for your business.

Billing
 
Checkout

Collect payments online with custom branded pages.

Checkout
 
NEW
Payroll

Payroll software with automated tax payments and filing.

Payroll
 
NEW
Solo

The all-in-one toolkit for solopreneurs.

Solo
 
Practice

Practice management software for accounting firms.

Practice
 
Sign

Digital signature app for businesses.

Sign
 
Commerce

eCommerce platform to manage and market your online store.

Commerce
 
Suites
Finance Plus

All-in-one suite to manage your operations and finances.

Finance Plus

Email and Collaboration

 
Mail

Secure email service for teams of all sizes.

Mail
 
Meeting

Online meeting software for all your video conferencing & webinar needs.

Meeting
 
Writer

Word processor for focused writing and discussions.

Writer
 
Sheet

Spreadsheet software for collaborative teams.

Sheet
 
Show

Create, edit, and share slides with a sleek presentation app.

Show
 
Notebook

Beautiful home for all your notes.

Notebook
 
Cliq

Stay in touch with teams no matter where you are.

Cliq
 
Connect

Employee experience platform to communicate, engage, and build positive employee relations.

Connect
 
Bookings

Appointment scheduling app for consultations with customers.

Bookings
 
TeamInbox

Shared inboxes for teams.

TeamInbox
 
WorkDrive

Online file management for teams.

WorkDrive
 
Sign

Digital signature app for businesses.

Sign
 
Office Suite

Powerful collaborative work platform for teams.

Office Suite
 
Office Integrator

Built in document editors for web apps.

Office Integrator
 
ZeptoMail

Secure and reliable transactional email sending service.

ZeptoMail
 
Calendar

Online business calendar to manage events and schedule appointments.

Calendar
 
Learn

Knowledge and learning management platform.

Learn
 
Voice

Cloud Contact Center Software for businesses.

Voice
 
ToDo

Collaborative task management for individuals and teams.

ToDo
 
Tables

Work management tool to connect people, processes, and information.

Tables
 
FREE
PDF Editor

Collaborative online PDF editing tool.

PDF Editor
 
Suites
Workplace

Application suite built to improve team productivity and collaboration.

Workplace

Human Resources

 
People

Organize, automate, and simplify your HR processes.

People
 
Recruit

Intuitive recruiting platform built to provide hiring solutions.

Recruit
 
Expense

Effortless expense reporting platform.

Expense
 
Workerly

Manage temporary staffing with an employee scheduling solution.

Workerly
 
NEW
Payroll

Payroll software with automated tax payments and filing.

Payroll
 
Shifts

Employee scheduling and time tracking app.

Shifts
 
Sign

Digital signature app for businesses.

Sign
 
Suites
People Plus

Comprehensive HR platform for seamless employee experiences.

People Plus

Security and IT Management

 
Creator

Build custom apps to simplify business processes.

Creator
 
Directory

Workforce identity and access management solution for cloud businesses.

Directory
 
FREE
OneAuth

Secure multi-factor authenticator (MFA) for all your online accounts.

OneAuth
 
Vault

Online password manager for teams.

Vault
 
Catalyst

Pro-code platform to build and deploy your apps.

Catalyst
 
Toolkit

Complete resource for any admin-related lookup queries.

Toolkit
 
Lens

Interactive remote assistance software with augmented reality.

Lens
 
Assist

Remote support and unattended remote access software.

Assist
 
QEngine

Test automation software to build, manage, execute, and report testcases.

QEngine
 
NEW
RPA

Automate manual, tedious, and repetitive tasks easily.

RPA

BI and Analytics

 
Analytics

Modern self-service BI and analytics platform.

Analytics
 
Embedded BI

Embedded analytics and white label BI solutions, tailored for your needs.

Embedded BI
 
DataPrep

AI-powered data preparation service for your data-driven organization.

DataPrep
 
NEW
IoT

Harnessing IoT analytics for real-time operational intelligence.

IoT

Project Management

 
Projects

Manage, track, and collaborate on projects with teams.

Projects
 
Sprints

Planning and tracking tool for scrum teams.

Sprints
 
BugTracker

Automatic bug tracking software for managing bugs.

BugTracker
 
NEW
Solo

The all-in-one toolkit for solopreneurs.

Solo

Developer Platforms

 
Creator

Build custom apps to simplify business processes.

Creator
 
Flow

Automate business workflows by creating smart integrations.

Flow
 
Catalyst

Pro-code platform to build and deploy your apps.

Catalyst
 
Office Integrator

Built in document editors for web apps.

Office Integrator
 
ZeptoMail

Secure and reliable transactional email sending service.

ZeptoMail
 
QEngine

Test automation software to build, manage, execute, and report testcases.

QEngine
 
Tables

Work management tool to connect people, processes, and information.

Tables
 
NEW
RPA

Automate manual, tedious, and repetitive tasks easily.

RPA
 
NEW
Apptics

Application analytics for all apps.

Apptics
 
Embedded BI

Embedded analytics and white label BI solutions, tailored for your needs.

Embedded BI
 
NEW
IoT

Build, deploy, and scale IoT solutions for connected businesses.

IoT
 
DataPrep

AI-powered data preparation service for your data-driven organization.

DataPrep

IoT

 
NEW
IoT

Low-code IoT platform and solutions for connected businesses.

IoT

Search Result

 
CRM Plus

Unified platform to deliver top-notch customer experience.

Try now
CRM Plus
 
Service Plus

Unified platform for customer service and support teams.

Try now
Service Plus
 
Finance Plus

All-in-one suite to manage your operations and finances.

Try now
Finance Plus
 
People Plus

Comprehensive HR platform for seamless employee experiences.

Try now
People Plus
 
Workplace

Application suite built to improve team productivity and collaboration.

Try now
Workplace
 
Marketing Plus

Unified marketing platform for marketing teams.

Try now
Marketing Plus
 
All-in-one suite

Zoho One

The Operating System for Business

Run your entire business on Zoho with our unified cloud software, designed to help you break down silos between departments and increase organizational efficiency.

TRY ZOHO ONE
Zoho One
Zoho Marketplace

With over 2000 ready-to-use extensions across 40+ categories, connect your favorite business tools with the Zoho products you already use.

EXPLORE MARKETPLACE
Marketplace
Skip to main content

Email breach chronicles: The Ubiquiti exposure - a 2020 network compromise

  • Published : November 6, 2023
  • Last Updated : November 9, 2023
  • 741 Views
  • 10 Min Read

In December 2020, an employee named Nickolas Sharp, working in Ubiquiti Inc., a technology company, orchestrated a hacking and extortion campaign against the company. The former senior developer exploited vulnerabilities within the company's infrastructure and abused his access to the administrative credentials of Ubiquiti's AWS and GitHub servers. He then downloaded confidential data using the Surfshark VPN to hide his IP address and gained unauthorized access to steal sensitive information.

Leveraging this, he attempted to extort the company by demanding a substantial ransom through an email to prevent the disclosure of the stolen data, while at the time, he was also a part of the incident response team at Ubiquiti tackling the data breach. After the company refused to pay, Sharp contacted the media, posing as a whistleblower to spread misinformation about how Ubiquiti handled the security incident. The case shed light on the potential risks posed by insider threats and raised concerns about the effectiveness of Ubiquiti's security practices.

Type of attack

This incident involved different types of attacks by the perpetrator, Nickolas Sharp, such as:

  • Cybercrime (downloading gigabytes of confidential data by misusing administrative credentials, altering Ubiquiti's log retention policies and other files to conceal unauthorized activity).
  • Ransom email (sending a ransom note through email by posing as an anonymous attacker and threatening to publish stolen data).
  • Impersonation (initially being a part of the incident response team of the attack and later claiming to be an anonymous whistleblower within Ubiquiti Networks).

Timeline of events

August, 2018 - April, 2021 Nickolas Sharp worked as a senior developer at the New York City-based IoT device maker, Ubiquiti Inc.
July 7, 2020Sharp used his personal PayPal account to purchase a 27-month subscription to Surfshark VPN on multiple devices, including his cellphone and laptop.
December 9, 2020Sharp applied for a position at a technology company based in California.
December 10, 2020Sharp, through the masked IP address provided by Surfshark VPN, abused his administrative credentials to access a particular key on Ubiquiti's infrastructure. He used the key to connect to AWS and to run a command "getcalleridentity" which returned the username and account information of that AWS account.
December 21, 2020Sharp logged into Ubiquiti's GitHub infrastructure at his residence through his IP address. He used his work credentials and viewed the names of certain data repositories. One minute later, he used the Surfshark VPN to mask his true IP address and connected to GitHub through SSH by using the company's GitHub account. He executed a series of commands to clone Ubiquiti's data repositories to his computer.
December 22, 2020A temporary internet outage at Sharp's residence disrupted the encrypted tunnel connection. After a few minutes, the internet service at Sharp's residence was restored and briefly exposed his location as he logged in through his IP address. Later, he again used the Surfshark VPN to log in to the GitHub servers.

Over the next few days, Sharp cloned approximately 155 repositories from Ubiquiti through the GitHub account using the Surfshark VPN. He applied one-day lifecycle retention policies to certain logs on AWS to clear his traces within one day.
December 28, 2020Ubiquiti employees discovered the incident. Sharp concealed his role in committing the incident, and joined a team to assess the scope and damage caused by the incident and remediate its effects. He made numerous false statements to fellow employees and agents to evade detection.
January 07, 2021The employees received a ransom email from the perpetrator, Sharp. The ransom email, which was sent through an IP address associated with Surfshark VPN, demanded a payment of 25 Bitcoin to return the stolen data and not to publish it. He further demanded another 25 Bitcoin to disclose the security vulnerabilities of the data breach.
January 09, 2021At 11:57 pm, approximately three minutes before the ransom deadline, Sharp sent a message on Keybase to an employee, with a link to a public Keybase folder. The folder contained Ubiquiti's stolen proprietary data for public access.
January 29, 2021Sharp wiped and reset the laptop he used to perpetrate the incident.
March 04, 2021Agents from the FBI executed a search warrant on Sharp's residence and seized certain electronic devices. Sharp made numerous false statements to FBI agents.
Several days later, claiming to be an anonymous whistleblower within Ubiquiti Networks, Sharp provided an investigative journalist with false information, claiming that an anonymous hacker had gained root administrator access to Ubiquiti’s AWS accounts. He also revealed that the data breach was "catastrophic" and its impact was "downplayed" by Ubiquiti.
March 30-31, 2021Following the publication of the news, the company's stock prices fell approximately 20%, losing over $4 billion in market capitalization.
December 2021Sharp was arrested and charged with data theft and extortion. Internal investigations revealed that the temporary internet outage at Sharp's residence disrupted the encrypted tunnel connection and briefly exposed his location. The investigation also showed that Sharp used his privileges to exfiltrate customer data from his employer's systems.
February 2023After Sharp repeatedly tried to mislead FBI investigators, the former Ubiquiti employee pleaded guilty to the following crimes:
  1. Transmitting a program to a protected computer that intentionally caused damage.
  2. Wire fraud.
  3. Making false statements to the FBI.

Initial publication

In January 2021, the Ubiquiti team published a notification revealing one of its third-party providers suffered a data breach.

Sharp acted as an anonymous whistleblower within Ubiquiti and provided information to cybersecurity blogger, Brian Krebs, claiming Ubiquiti “massively downplayed” an incident that was actually “catastrophic,” in an effort to minimize the impact on its value on the stock market. This news was later deleted after the actual picture of the incident came to light.

Following this, Ubiquiti released another statement to provide more information but noted that it cannot comment further due to an ongoing law enforcement investigation.

Geographical spread

The attack was aimed only at Ubiquiti, but, fortunately, did not affect customers living across the US. Though the impact of the attack did not directly affect various countries, it had a significant impact on the company's stock price. Following the perpetrator's whistle-blowing episode, Ubiquiti's stock price fell roughly 20% from $349 on March 30 to $290 on April 1, 2021.

Attack vectors

The following were the attack vectors in this incident:

  • Surfshark VPN
  • Ubiquiti's AWS accounts
  • Ubiquiti's GitHub accounts

Using Surfshark VPN, the perpetrator masked his identity to access AWS via a privileged user account, moved across the company’s cloud environment, and proceeded to clone gigabytes of data repositories from GitHub.

Vulnerability exploited

The perpetrator exploited his standing privileges to an unmonitored and uncontrolled AWS account. Lack of session monitoring and authentication methods, like MFA, assisted the user to easily access Ubiquiti's AWS.

Motive

Since the perpetrator had applied for a job to another company prior to the incident, the main motive of the perpetrator could be seen as an insider threat aiming to tarnish the image and reputation of Ubiquiti Inc. The other motive could be to extract money, as he demanded a ransom of 50 Bitcoins from the company.

Forensic analysis

1. Lack of visibility and control:

  • Ubiquiti Inc. had a significant gap in visibility and control over their cloud environments.
  • This allowed certain users to have perpetual access or standing privileges to critical administrator credentials, posing a vulnerability that was exploited by the intruder.

2. Exploitation of vulnerability:

  • The attacker took advantage of the aforementioned vulnerability by leveraging Surfshark VPN to log into Ubiquiti's AWS servers.
  • By utilizing Surfshark VPN, the intruder aimed to mask their true identity and evade detection.

3. Data exfiltration via GitHub:

  • Once inside Ubiquiti's systems, the perpetrator proceeded to download gigabytes of data from the company's GitHub repositories.
  • This unauthorized access and exfiltration compromised sensitive information and intellectual property.

4. Temporary internet outage reveals real IP address:

  • During the process of data exfiltration, an unforeseen temporary internet outage occurred.
  • This interruption inadvertently revealed the true IP address being used by the perpetrator to access Ubiquiti's systems, instead of the intended Surfshark VPN.

5. Identification of perpetrator:

  • The FBI conducted an investigation to trace the revealed IP address.
  • The investigation ultimately identified the IP address as belonging to Sharp, linking him to the security breach.

6. Surfshark VPN and PayPal account connection:

  • Further investigation by the FBI revealed that the Surfshark VPN subscription used in the breach was purchased with a PayPal account registered to Sharp.
  • This provided additional evidence linking Sharp to the illegal activities.

Incident detection

Several days after the perpetrator cloned the GitHub repositories, employees in Ubiquiti noticed the intruder had set up multiple Linux virtual machines with networking connectivity to AWS databases. Upon closer examination, they found a backdoor to their infrastructure that led to the exfiltration of data by the intruder.

Data breach

According to an email sent by Ubiquiti to its customers, the company revealed that the data could contain the customers' names, email addresses, mobile numbers, addresses, and one-way encrypted passwords.

Mitigation

Following the attack, Ubiquiti started investigating and found out the hacker had root privilege over all Ubiquiti AWS accounts, including S3 data buckets, application logs, databases, user credentials, and the secrets to forge single sign-on cookies. Ubiquiti also identified a backdoor in their infrastructure that led to the exfiltration of data by the intruder. They managed to remove that in the subsequent week. 

Ubiquiti later issued a notification acknowledging the data breach and advised its users to perform the following actions:

  • Change their Ubiquiti account's password and to change the password(s) for any other account where they have used the same credentials.
  • Enable two-factor authentication.

Some other actions that users could have performed to mitigate the attack:

  • Reset 2FA, if it had already been enabled, by disabling and enabling it again. Generate new backup codes by entering the 2FA token and saving them in a secure location.
  • Disable remote access to Ubiquiti's cloud as it gives extra safety to user's data if it gets compromised.

Following the whistleblower's false claims that the hacker had acquired root administrator access to Ubiquiti's accounts, the company shared the actual details of the security breach and provided clear and factual rebuttals to the false claims made by the whistleblower. In March 2022, Ubiquiti filed a lawsuit against security researcher Brian Krebs, alleging defamation for his reporting on their security issues.

Collaborative efforts

Ubiquiti worked with several third-party incident response experts, conducted a thorough investigation, and ensured the attacker was locked out of the systems. The third-party experts revealed that there was no clear evidence of the attacker trying to access or target customer information.

Ubiquiti also collaborated with the FBI to identify the perpetrator behind the breach. FBI agents executed a search warrant at Sharp’s residence in Portland, Oregon, and seized certain electronic devices belonging to him. His purchase of the Surfshark VPN for personal use also came to light.

Legal and regulatory implications

Sharp faced an indictment in federal court in Manhattan with four criminal counts charged against him.

  • Computer fraud and abuse - Intentionally damaging protected computers
  • Transmission of interstate communications with intent to extort
  • Wire fraud
  • Making false statements

In January 2023, Sharp pleaded guilty to one count of transmitting a program to a protected computer that intentionally caused damage, one count of wire fraud, and one count of making false statements to the FBI.

In March 2022, Ubiquiti filed a lawsuit against industry blogger Brian Krebs for $425,000 in damages for allegedly falsely accusing the company of “covering up” a cyberattack and misleading the public. Ubiquiti claimed that they promptly undertook the crucial step of notifying its customers about the security breach, emphasizing the importance of implementing additional security measures to safeguard their sensitive information. Furthermore, Ubiquiti diligently fulfilled its obligation to inform the public by including the incident details in its subsequent filing with the Securities and Exchange Commission (SEC). Both parties resolved their dispute outside court in September 2022.

In May 2023, Sharp was sentenced to six years in prison, three years of supervised release, and ordered to pay restitution of $1,590,487.

Lessons learned

Following the data breach caused by the criminal actions of Sharp, there were plenty of lessons to be learned.

  • Standing privilege access risks
    The data breach of Ubiquiti Inc. was primarily due to the standing privilege access of the company's AWS accounts to Sharp. Having standing privilege access meant Sharp had high levels of access to administrator credentials 24/7/365, which he then misused to move laterally across the network and clone sensitive data from GitHub servers. This standing access increases an organization's attack surface area that can be misused by malicious insiders and other threat actors.
     
  • Least privilege access and its limitations
    Least privilege access is a concept that certain privilege access management tools offer, by which only specific permissions are granted to a user to perform a task or job. Though this reduces the privilege access given to users by reducing the attack surface area, it still does not reduce the blast radius once the user is inside.
     
  • Zero standing privileges (ZSP)
    Zero standing privileges, a core principle of the zero trust security model, offers a solution to address the limitations of least privilege access. ZSP aims at limiting access to sensitive data by removing all permanent user access permissions through a just-in-time access. With ZSP, user access is temporary and automatically revoked once the assigned task or time limit expires, minimizing the potential for unauthorized access and damage.

    In Ubiquiti's case, if the organization had zero standing privileges, Sharp would not have been able to use his employee access because the access tied to his user would be temporary, and consequently wouldn't have access to any other applications or data to cause damage.

    Organizations can learn from Ubiquiti's security breach and proactively enforce ZSP to restrict bad actors from accessing critical applications and data.

 


This article is co-authored by Sandeep Kotla and Vignesh S.

Sandeep is an accomplished inbound marketer at Zoho Corporation, specializing in digital workplace strategies, digital transformation initiatives, and enhancing employee experiences. Previously, he handled analyst relations and corporate marketing for Manage Engine (a division of Zoho Corp) and its suite of IT management products. He currently spends most of his time re-imagining and writing about how work gets done in large organizations, reading numerous newsletters, and Marie Kondo-ing his inbox.

Vignesh works as a Marketing Analyst at Zoho Corporation, specializing in content initiatives and digital workplace strategies. He's a passionate creator with a penchant for marketing and growth. In his free time, you can see him shuffling between books, movies, music, sports, and traveling, not necessarily in the same order.

Related Topics

Leave a Reply

Your email address will not be published. Required fields are marked

The comment language code.
By submitting this form, you agree to the processing of personal data according to our Privacy Policy.

You may also like