Ubiquiti All But Confirms Breach Response Iniquity

For four days this past week, Internet-of-Things giant Ubiquiti did not respond to requests for comment on a whistleblower’s allegations the company had massively downplayed a “catastrophic” two-month breach ending in January to save its stock price, and that Ubiquiti’s insinuation that a third-party was to blame was a fabrication. I was happy to add their eventual public response to the top of Tuesday’s story on the whistleblower’s claims, but their statement deserves a post of its own because it actually confirms and reinforces those claims.

Ubiquiti’s IoT gear includes things like WiFi routers, security cameras, and network video recorders. Their products have long been popular with security nerds and DIY types because they make it easy for users to build their own internal IoT networks without spending many thousands of dollars.

But some of that shine started to come off recently for Ubiquiti’s more security-conscious customers after the company began pushing everyone to use a unified authentication and access solution that makes it difficult to administer these devices without first authenticating to Ubiquiti’s cloud infrastructure.

All of a sudden, local-only networks were being connected to Ubiquiti’s cloud, giving rise to countless discussion threads on Ubiquiti’s user forums from customers upset over the potential for introducing new security risks.

And on Jan. 11, Ubiquiti gave weight to that angst: It told customers to reset their passwords and enable multifactor authentication, saying a breach involving a third-party cloud provider might have exposed user account data. Ubiquiti told customers they were “not currently aware of evidence of access to any databases that host user data, but we cannot be certain that user data has not been exposed.”

Ubiquiti’s notice on Jan. 12, 2021.

On Tuesday, KrebsOnSecurity reported that a source who participated in the response to the breach said Ubiquiti should have immediately invalidated all credentials because all of the company’s key administrator passwords had been compromised as well. The whistleblower also said Ubiquiti never kept any logs of who was accessing its databases.

The whistleblower, “Adam,” spoke on condition of anonymity for fear of reprisals from Ubiquiti. Adam said the place where those key administrator credentials were compromised — Ubiquiti’s presence on Amazon’s Web Services (AWS) cloud services — was in fact the “third party” blamed for the hack.

From Tuesday’s piece:

“In reality, Adam said, the attackers had gained administrative access to Ubiquiti’s servers at Amazon’s cloud service, which secures the underlying server hardware and software but requires the cloud tenant (client) to secure access to any data stored there.

“They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,” Adam said.

Adam says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.

Such access could have allowed the intruders to remotely authenticate to countless Ubiquiti cloud-based devices around the world. According to its website, Ubiquiti has shipped more than 85 million devices that play a key role in networking infrastructure in over 200 countries and territories worldwide.

Ubiquiti finally responded on Mar. 31, in a post signed “Team UI” on the company’s community forum online.

“Nothing has changed with respect to our analysis of customer data and the security of our products since our notification on January 11. In response to this incident, we leveraged external incident response experts to conduct a thorough investigation to ensure the attacker was locked out of our systems.”

“These experts identified no evidence that customer information was accessed, or even targeted. The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have accessed any customer information. This, along with other evidence, is why we believe that customer data was not the target of, or otherwise accessed in connection with, the incident.”

Ubiquiti’s response this week on its user forum.

Ubiquiti also hinted it had an idea of who was behind the attack, saying it has “well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure. As we are cooperating with law enforcement in an ongoing investigation, we cannot comment further.”

Ubiquiti’s statement largely confirmed the reporting here by not disputing any of the facts raised in the piece. And while it may seem that Ubiquiti is quibbling over whether data was in fact stolen, Adam said Ubiquiti can say there is no evidence that customer information was accessed because Ubiquiti failed to keep logs of who was accessing its databases.

“Ubiquiti had negligent logging (no access logging on databases) so it was unable to prove or disprove what they accessed, but the attacker targeted the credentials to the databases, and created Linux instances with networking connectivity to said databases,” Adam wrote in a whistleblower letter to European privacy regulators last month. “Legal overrode the repeated requests to force rotation of all customer credentials, and to revert any device access permission changes within the relevant period.”

It appears investors noticed the incongruity as well. Ubiquiti’s share price hardly blinked at the January breach disclosure. On the contrary, from Jan. 13 to Tuesday’s story its stock had soared from $243 to $370. By the end of trading day Mar. 30, UI had slipped to $349. By close of trading on Thursday (markets were closed Friday) the stock had fallen to $289.

RPA market surges as investors, vendors capitalize on pandemic-driven tech shift

When UIPath filed its S-1 last week, it was a watershed moment for the robotic process automation (RPA) market. The company, which first appeared on our radar for a $30 million Series A in 2017, has so far raised an astonishing $2 billion while still private. In February, it was valued at $35 billion when it raised $750 million in its latest round.

RPA and process automation came to the fore during the pandemic as companies took steps to digitally transform. When employees couldn’t be in the same office together, it became crucial to cobble together more automated workflows that required fewer people in the loop.

RPA has enabled executives to provide a level of workflow automation that essentially buys them time to update systems to more modern approaches while reducing the large number of mundane manual tasks that are part of every industry’s workflow.

When UIPath raised money in 2017, RPA was not well known in enterprise software circles even though it had already been around for several years. The category was gaining in popularity by that point because it addressed automation in a legacy context. That meant companies with deep legacy technology — practically everyone not born in the cloud — could automate across older platforms without ripping and replacing, an expensive and risky undertaking that most CEOs would rather not take.

RPA has enabled executives to provide a level of workflow automation, a taste of the modern. It essentially buys them time to update systems to more modern approaches while reducing the large number of mundane manual tasks that are part of just about every industry’s workflow.

While some people point to RPA as job-elimination software, it also provides a way to liberate people from some of the most mind-numbing and mundane chores in the organization. The argument goes that this frees up employees for higher level tasks.

As an example, RPA could take advantage of older workflow technologies like OCR (optical character recognition) to read a number from a form, enter the data in a spreadsheet, generate an invoice, send it for printing and mailing, and generate a Slack message to the accounting department that the task has been completed.

We’re going to take a deep dive into RPA and the larger process automation space — explore the market size and dynamics, look at the key players and the biggest investors, and finally, try to chart out where this market might go in the future.

Meet the vendors

UIPath is clearly an RPA star with a significant market share lead of 27.1%, according to IDC. Automation Anywhere is in second place with 19.4%, and Blue Prism is third with 10.3%, based on data from IDC’s July 2020 report, the last time the firm reported on the market.

Two other players with significant market share worth mentioning are WorkFusion with 6.8%, and NTT with 5%.

The Good, the Bad and the Ugly in Cybersecurity – Week 14

This week, we saw another victory for law enforcement against the evil lurking in the deep, dark web, or to be more specific, the DeepDotWeb. This past Wednesday, the United States Department of Justice announced a guilty plea from one Tal Prihar. The Israeli citizen, who is currently residing in Brazil, has been identified as a co-owner and co-operator of the DeepDotWeb website.

The site was arguably the most popular hub for dark web market news, market statuses, links and more. Operated by Prihar and another individual, Michael Phan, the site took nearly $8 million by providing direct and referral links to other sites selling illicit goods.

As a result of the referrals, other highly-successful marketplaces would provide a payment (kickback) to Prihar and Phan. These markets specialized in the peddling of automatic weapons, malware and exploits, along with pharmaceuticals and hard drugs, and included notorious dark web sites such as Dream Market, Valhalla, Abraxas, Agora and Alpha Bay. As such sites aren’t indexed by search engines and consequently are difficult to find, DeepDotWeb effectively provided an entrypoint for internet users to discover sources of illicit trade.

In order to obfuscate the trail of Bitcoin payments received for their referrals, Phan and Prihar laundered the funds through bank accounts for shell corporations, as well as crypto wallet anonymizer services.

Both individuals have pleaded guilty to conspiracy to commit money laundering and each faces a maximum sentence of 20 years. This is a significant law enforcement victory, and one of the more significant takedowns in dark web history!

The Bad

This week more details emerged of a recent malware campaign called BazarCall. By the name, you might guess that BazarLoader will appear somewhere in the infection chain, and you would be correct. However, the actual delivery of the desired payload takes a somewhat roundabout trip towards its intended targets and is coordinated via a threat-actor controlled call center.

The BazarCall campaign begins with a spray of phishing emails to corporate addresses which entice the recipient to phone a call center in order to complete the cancellation process for some fictitious subscriptions.

When the victim contacts the number provided, they are asked for a unique ID contained in the phishing email. This ID allows the individual on the other end of the phone to identify if the caller is truly part of the targeted organization. If they are, the user is instructed to visit a specific, malicious web page to proceed with the process.

At this point, the victim will be prompted to download and open a maliciously-crafted MS Office document. Under the correct conditions, the opening of this document will further lead to the install of BazarLoader malware, which itself may be a precursor to threats like TrickBot, Ryuk, Conti or IcedID.

This shows us (once again) just how much threat actors behind modern malware are willing to go to further their cause and maximize their footprint. To fully staff a call center, focused on intake for high-volume phishing attacks, is somewhat impressive for a non-nation state actor. Researchers believe that the call center infrastructure may be operating as a distribution-for-hire service to multiple clients, and it’s quite possible that we will see other malware strains take advantage of this novel and apparently quite effective distribution method.

The Ugly

The last year has been monumental when it comes to historic data breaches. As of late, names like SolarWinds and Accellion have taken on a much darker connotation than those companies would prefer. In fact, for many people in the security industry, those two incidents are going to fully occupy their time for many months ahead. This week the pain continues as one of the world’s largest corporations, Royal Dutch Shell, has seen its data leaked on the internet by the FIN11 hacking group after being affected by the recently discovered vulnerabilities in Accellion’s FTA.

The leaked data reportedly included “passport copies, an evaluation report and a document written in Hungarian” and was found on a dark net website associated with Clop ransomware leaks.

The attackers were reportedly able to access “various files during a limited window of time” and that other stolen files could contain personal data and sensitive data from Shell subsidiaries and stakeholders.

Only time will tell what the real ramifications are, but this is yet another example of how one small chink in the supply chain can result in disastrous costs for any enterprise.

We encourage all to review their environments, and ensure that they have full visibility into the various applications and services running and exposed. It may not always be easy to patch or update resources, but weighing the cost between that and disaster recovery, there is always incentive to patch. This is especially true in the current threat landscape where criminals are taking advantage of any new vulnerability in nearly no time at all.

For the latest information on these vulnerabilities, please see Accellion’s website and statement.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

New KrebsOnSecurity Mobile-Friendly Site

Dear Readers, this has been long overdue, but at last I give you a more responsive, mobile-friendly version of KrebsOnSecurity. We tried to keep the visual changes to a minimum and focus on a simple theme that presents information in a straightforward, easy-to-read format. Please bear with us over the next few days as we hunt down the gremlins in the gears.

We were shooting for responsive (fast) and uncluttered. Hopefully, we achieved that and this new design will render well in whatever device you use to view it. If something looks amiss, please don’t hesitate to drop a note in the comments below.

NB: KrebsOnSecurity has not changed any of its advertising practices: The handful of ads we run are still image-only creatives that are vetted by me and served in-house. If you’re blocking ads on this site, please consider adding an exception here. Thank you!

PingPong is a video chat app for product teams working across multiple time zones

From the earliest days of the pandemic, it was no secret that video chat was about to become a very hot space.

Over the past several months investors have bankrolled a handful of video startups with specific niches, ranging from always-on office surveillance to platforms that encouraged plenty of mini calls to avoid the need for more lengthy team-wide meetings. As the pandemic wanes and plenty of startups begin to look toward hybrid office models, there are others who have decided to lean into embracing a fully remote workforce, a strategy that may require new tools.

PingPong, a recent launch from Y Combinator’s latest batch, is building an asynchronous video chat app for the workplace. We selected PingPong as one of our favorite startups that debuted last week.

The company’s central sell is that for remote teams, there needs to be a better alternative to Slack or email for catching up with co-workers across time zones. While Zoom calls might be able to convey a company’s culture better than a post in a company-wide Slack channel, for fully remote teams operating on different continents, scheduling a company-wide meeting is often a nonstarter.

PingPong is selling its service as an addendum to Slack that helps remote product teams collaborate and convey what they’re working on. Users can capture a short video of themselves and share their screen in lieu of a standup presentation and then they can get caught up on each other’s progress on their own time. PingPong’s hope is that users find more value in brainstorming, conducting design reviews, reporting bugs and more inside while using asynchronous video than they would with text.

“We have a lot to do before we can replace Slack, so right now we kind of emphasize playing nice with Slack,” PingPong CEO Jeff Whitlock tells TechCrunch. “Our longer-term vision is that what young people are doing in their consumer lives, they bring into the enterprise when they graduate into the workforce. You and I were using Instant Messenger all the time in the early 2000s and then we got to the workplace, that was the opportunity for Slack… We believe in the next five or so years, something that’s a richer, more asynchronous video-based Slack alternative will have a lot more interest.”

Building a chat app specifically designed for remote product teams operating in multiple time zones is a tight niche for now, but Whitlock believes that this will become a more common problem as companies embrace the benefits of remote teams post-pandemic. PingPong costs $100 per user per year.

Celonis announces significant partnership with IBM to sell its process mining software

Before you can improve a workflow, you have to understand how work advances through a business, which is more complex than you might imagine inside a large enterprise. That’s where Celonis comes in. It uses software to identify how work moves through an organization and suggests more efficient ways of getting the same work done, also known as process mining

Today, the company announced a significant partnership with IBM where IBM Global Services will train 10,000 consultants worldwide on Celonis. The deal gives Celonis, a company with around 1200 employees access to the massive selling and consulting unit, while IBM gets a deep understanding of a piece of technology that is at the front end of the workflow automation trend.

Miguel Milano, chief revenue officer at Celonis says that digitizing processes has been a trend for several years. It has sped up due to COVID, and it’s partly why the two companies have decided to work together. “Intelligent workflows, or more broadly spoken workflows built to help companies execute better, are at the heart of this partnership and it’s at the heart of this trend now in the market,” Milano said.

The other part of this is that IBM now owns Red Hat, which it acquired in 2018 for $34 billion. The two companies believe that by combining the Celonis technology, which is cloud based, with Red Hat, which can span the hybrid world of on premises and cloud, the two together can provide a much more powerful solution to follow work wherever it happens.

“I do think that moving the [Celonis] software into the Red Hat OpenShift environment is hugely powerful because it does allow in what’s already a very powerful open solution to now operate across this hybrid cloud world, leveraging the power of OpenShift which can straddle the worlds of mainframe, private cloud and public cloud. And data straddle those worlds, and will continue to straddle those worlds,” Mark Foster, senior vice president at IBM Services explained.

You might think that IBM, which acquired robotic process automation vendor, WDG Automation last summer, would simply attempt to buy Celonis, but Foster says the partnership is consistent with the company’s attempt to partner with a broader ecosystem.

“I think that this is very much part of an overarching focus of IBM with key ecosystem partners. Some of them are going to be bigger, some of them are going to be smaller, and […] I think this is one where we see the opportunity to connect with an organization that’s taking a leading position in its category, and the opportunity for that to take advantage of the IBM Red Hat technologies…” he said.

The companies had already been working together for some time prior to this formal announcement, and this partnership is the culmination of that. As this firmer commitment to one another goes into effect, the two companies will be working more closely to train thousands of IBM consultants on the technology, while moving the Celonis solution into Red Hat OpenShift in the coming months.

It’s clearly a big deal with the feel of an acquisition, but Milano says that this is about executing his company’s strategy to work with more systems integrators (SIs), and while IBM is a significant partner it’s not the only one.

“We are becoming an SI consulting-driven organization. So we put consulting companies like IBM at the forefront of our strategy, and this [deal] is a big cornerstone of our strategy,” he said.

mmhmm introduces usage-based enterprise accounts and a beta for Windows

mmhmm, the software that allows folks to personalize their appearance on video chat, has today announced that its introducing usage-based enterprise accounts.

In a conversation with TechCrunch, founder and CEO Phil Libin said this is a natural evolution, remarking that mmhmm has had hundreds of registrations from users all at the same company.

“It was clear that there was a big demand for enterprise accounts,” said Libin. “Not only for central management, to keep it as easy as possible, but also for getting everything on brand. Companies and organizations of all kinds are realizing video is a permanent part of how we’re going to do business and it needs to be on brand.”

The enterprise accounts are priced the same as individual Pro accounts, at $10/month or $100/year. However, when an organization signs up with an enterprise account, they only pay for the number of users who were active on mmhmm each month, rather than worrying about seats.

Enterprise accounts can also share design system assets built specifically for mmhmm to ‘stay on brand’ as Libin said. Folks who opt in to enterprise can also control employee accounts under one umbrella, invite via link, claim an email domain and enjoy a single bill.

Libin also gave us a glimpse into the financials of the business, explaining that while it’s too early to tell, the conversion rate to Pro accounts is outpacing that of Evernote, one of Libin’s earlier ventures.

He said that, with freemium tools like both mmhmm and Evernote, the likelihood of a user upgrading to premium grows with every month they’re on the platform. At Evernote, it was half a percent after the first month, and then five percent by the end of the first year, and after two years it would jump to 12 percent.

Obviously, mmhmm doesn’t have 24 months worth of data. That said, the product is doing 10x better than Evernote did.

But revenue is not the focus, according to Libin. The company is far more concerned with ensuring the onboarding process is easy for casual users and that they really understand what they can do with the platform. In the spirit of that, mmhmm is launching new interactive tutorial videos on the platform to ensure people are fully aware of the features.

mmhmm first came on the scene in the summer of last year in a closed beta, and eventually opened up to everyone who has a Mac in November 2020. Alongside the launch of enterprise, mmhmm is also launching a Windows version of the app in open beta.

Libin said that mmhmm is in a growth stage, and that after starting five different companies, he knows the biggest challenge is people.

“I’ve been in some startups now that have been through this hyper growth stage,” said Libin. “The toughest thing at this stage is getting people, keeping people from burning out, and doing career development. This is my fifth startup, so I’m trying to demonstrate some learning behavior and apply lessons learned from previous mistakes. We’ll see how it goes.”

Editor’s Note: An earlier version of this article incorrectly stated that mmhmm was introducing Windows in a closed beta. It has been updated for accuracy. 

Kintent nabs $4M seed to automate compliance questionnaire process

Every tech vendor has to pass security muster with customers, typically a tedious activity involving answering long questionnaires. Kintent, a new startup that wants to automate this process, announced a $4 million seed today led by Tola Capital with help from a bunch of tech industry angel investors.

After company co-founder and CEO Sravish Sridhar sold his previous startup Kinvey, which provided Backend as a Service to mobile app developers, he took a couple of years off while he decided what to do next. The sale to Progress Software in 2017 gave him that luxury.

He knew first-hand from his experience at Kinvey, that companies like his had to adhere to a lot of compliance standards and the idea for the next company began to form in his head. He wanted to create a new startup that could make it easier to figure out how to become compliant with a given standard, measure the current state of compliance and get recommendations on how to improve. He created Kintent to achieve that goal.

“So the big picture idea is can we build a system of record for trust and our first use case is information security and data privacy compliance, specifically if you’re a company that is building a SaaS business and you’re storing customer data or PHI, which is health information,” Sridhar explained.

The company’s product is called Trust Cloud. He says that they begin by looking at the lay of your technology land in terms of systems and the types of information you are storing, looking at how compliant each system is with whatever standard you are trying to adhere to.

Then based on how you classify your data, the Trust Cloud generates a list of best practices to stay in compliance with your desired standard, and finally it provides the means to keep testing to validate what you’ve done and that you are remaining in compliance.

The company launched in 2019, spent the first part of 2020 developing the product, and began selling it last October. Today, it has 35 paying customers. “We’re in the high six figures in revenue. We’ve been growing at about 20-30% month-over-month consistently since we launched in October, and the customers are across 11 verticals already,” he said.

With 14 employees and some money in the bank from this funding round, he is thinking ahead to adding people. He says that diversity has to be more than something you just talk about, and he has made it one of the core founding values of the company, and one he takes very seriously.

“I’m very conscious with every hire that we make that we’re really pushing to extend ourselves to [find] people from different walks of life, different statuses and so on,” he said.

The company is also working on a DEI component for the Trust Cloud, which it will be offering for free, which enables companies to provide a set of diversity metrics to measure against and then report on how well you are doing, and how you can improve your numbers.