The target: Ubiquiti, a major vendor of cloud-enabled networking devices.
The take: Source code, customer data, and cryptographic secrets which would enable remote access to both professional and consumer-grade customer devices.
The attack vector: The attackers gained control of administrative credentials stored on an IT employee’s LastPass account. With these in hand, the threat actors gained high-level access to Ubiquiti Amazon Web Services accounts, including database storage servers, application logs, and user credentials. Multiple backdoor accounts were reportedly created. A whistleblower alleged that due to an absence of database access logging, Ubiquiti were unable to confirm which records had been accessed, by whom, and when.
While use of password vaults and privileged account management tools are absolutely a best practice, these tools can only be as secure as the authentication measures enforced upon them. Complex, unique passwords in addition to two-factor authentication should be in place wherever possible to protect privileged credentials and management consoles.
Additionally – comprehensive logging practices are critical to the reconstruction of events when investigating a breach, and the absence thereof can severely limit a firm’s the ability to determine the full scope of the attack.