Former Ubiquiti Employee Pleads Guilty To Attempted Extortion Scheme (theverge.com) 15
A former employee of network technology provider Ubiquiti pleaded guilty to multiple felony charges after posing as an anonymous hacker in an attempt to extort almost $2 million worth of cryptocurrency while employed at the company. From a report: Nickolas Sharp, 37, worked as a senior developer for Ubiquiti between 2018 and 2021 and took advantage of his authorized access to Ubiquiti's network to steal gigabytes worth of files from the company during an orchestrated security breach in December 2020.
Prosecutors said that Sharp used the Surfshark VPN service to hide his home IP address and intentionally damaged Ubiquiti's computer systems during the attack in an attempt to conceal his unauthorized activity. Sharp later posed as an anonymous hacker who claimed to be behind the incident while working on an internal team that was investigating the security breach. While concealing his identity, Sharp attempted to extort Ubiquiti, sending a ransom note to the company demanding 50 Bitcoin (worth around $1.9 million at that time) in exchange for returning the stolen data and disclosing the security vulnerabilities used to acquire it. When Ubiquiti refused the ransom demands, Sharp leaked some of the stolen data to the public. The FBI was prompted to investigate Sharp's home around March 24th, 2021, after it was discovered that a temporary internet outage had exposed Sharp's IP address during the security breach.
Further reading:
Ubiquiti Files Case Against Security Blogger Krebs Over 'False Accusations';
Former Ubiquiti Dev Charged For Trying To Extort His Employer.
Prosecutors said that Sharp used the Surfshark VPN service to hide his home IP address and intentionally damaged Ubiquiti's computer systems during the attack in an attempt to conceal his unauthorized activity. Sharp later posed as an anonymous hacker who claimed to be behind the incident while working on an internal team that was investigating the security breach. While concealing his identity, Sharp attempted to extort Ubiquiti, sending a ransom note to the company demanding 50 Bitcoin (worth around $1.9 million at that time) in exchange for returning the stolen data and disclosing the security vulnerabilities used to acquire it. When Ubiquiti refused the ransom demands, Sharp leaked some of the stolen data to the public. The FBI was prompted to investigate Sharp's home around March 24th, 2021, after it was discovered that a temporary internet outage had exposed Sharp's IP address during the security breach.
Further reading:
Ubiquiti Files Case Against Security Blogger Krebs Over 'False Accusations';
Former Ubiquiti Dev Charged For Trying To Extort His Employer.
The calls are coming from inside the house! (Score:2)
Re: (Score:1)
Re: (Score:3)
He broke the story of how Ubiquiti was hacked. Except it wasn't hacked at all, there was a (former) insider attack.
https://krebsonsecurity.com/20... [krebsonsecurity.com]
https://www.theregister.com/20... [theregister.com]
Re: (Score:3)
I thought he did hack it using insider knowledge and leverage?
Like knowing what is running what, and where the goods are, and using that from the outside VPN to actually hack it?
Such as knowing a random server that hasn't patched for log4j and others yet, then exploiting it, and knowing where to hop from there.
Re: (Score:1)
True. But let's be clear, for users of Ubiquiti products it should most definitely considered a hack. Data should be protected full stop, if it gets compromised then someone "hacked" it, whether from inside or outside.
Btw the fact that Ubiquiti management tried to downplay the affair to users back then is another seedy aspect to the story.
Re: (Score:2)
A rogue sys admin can do lots of bad things but that is not exactly a hack. Lots of organizations are subject to damage from a rogue sys admin, most in fact.
Re: (Score:2)
Except it wasn't hacked at all, there was a (former) insider attack
Sorry kiddo, but the definition of a computer hack (including the legal definition in this case) is nothing more than "unauthorised computer access for an illicit purpose"
The fact that it was a former employee and the method of gaining access is irrelevant. The only person's reputation stained here is yours, trying to lay shit on someone else simply because you have a pedantic and different view of what is going on.
Re: (Score:2)
> the definition of a computer hack (including the legal definition in this case) is nothing more than "unauthorised computer access for an illicit purpose"
Do you have a link that supports such nonsense that actually includes the word 'hack'?
Per the summary:
" took advantage of his authorized access to Ubiquiti's network "
The way he went about it was unauthorized, sure. By his credentials were authorized. It is not a hack in the sense that something was broken, this is not a forced entry type situation. T
was bound to get caught (Score:2)
Re: (Score:2)
Except he wasn't caught due to the nature of the VPN service at all, and there's no evidence that the VPN service he was using was retaining records that would have led to him.
The kind of service used here, or who provided it is not what got him caught. The lack of a VPN killswitch is.
Re: was bound to get caught (Score:2)
VPN to hide his home IP address ? (Score:1)
Reminds of True Names by Vernor Vinge (Score:2)
Except he should have called the story "True IP Addresses"