Lessons from Ubiquiti breach: Advice on protecting admin user accounts
3 minute read
Recently, Ubiquiti, which has shipped more than 85 million devices related to cloud-enabled Internet of Things (IoT) devices such as routers, network video recorders and security cameras in over 200 countries, got hacked, with hacker getting root administrator access to
all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies – which basically means hackers have credentials to remotely access customers' IoT systems.
As per one of the security engineers who helped the company to respond to the breach, such a massive, privileged access to Ubiquiti resources became possible because the hackers got access to privileged admin credentials that were stored in LastPass.
It’s unclear whether the employee’s LastPass account had two-factor authentication (2FA) enabled.
Gaining access to “all AWS accounts” means that the root AWS account was also compromised – likely because it didn’t have 2FA enabled either.
If these were the reasons then it again demonstrates engineers choosing (or forced to choose) convenience over security, hence Zero Trust and specifically its least privilege access model is something the IT industry should embrace, wherein access to resources are granted to identities based on actual need basis.
In relation to hacking of similar nature, I’d also like to emphasize that at least admin-level user accounts should be protected by IP Firewall, which gives following benefits:
- Even if credentials are compromised, 2FA is broken, still hackers cannot gain access to the system until the requests are routed through the white-listed networks (which should be very small for admin user accounts at least).
- A security event notifications (at least by email) system accompanying the firewall will notify you in case of non-white-listed IP attempting to gain access, which alerts you of potential leak of the credentials immediately.
How can ASPSecurityKit help?
- ASPSecurityKit provides an IP firewall feature as part of the security pipeline for your web applications and API services which works on all kinds of identities including API keys, users etc. You can see it in action in the SuperFinance demo video, read about the same on the related tutorial, or try it out on the live demo.
- Email notifications for several security events.
- A full implementation of simple 2FA workflow is also provided part of the source packages, which works on ASPSecurityKit’s MFA feature.
Build Zero Trust thinking for software development
Because Zero Trust is not just an approach; it’s a mindset.
You can also develop this mindset by going through the hands-on tutorials from the Zero Trust Thinking (ZTT) series. ZTT is brought to you by ASPSecurityKit, the first true security framework for ASP.NET and ServiceStack built from scratch on the Zero Trust model.
Leave your email below to receive a notification of new ZTT articles and videos right in your inbox, once every two weeks or so.
Looking for an expert team to build a reliable and secure software product? Or, seeking expert security guidance, security review of your source code or penetration testing of your application, or part-time/full-time assistance in implementation of the complete web application and/or its security subsystem?