@Leo have you changed you password?
1 Like
Adam says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.
Sheesh, sounds like they had the keys to the kingdom. Least privilege model is hard, especially with your IT staff. Really crummy to read about this kind of behavior from UI on the policy side, if true.
I wonder what that means “…previously stored in the LastPass account…?” Did the employee copy them out of LP to a plaintext file? Or were they somehow pulled from LP?
Here’s Ars Technica’s take on the deets: