fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Former Ubiquiti Dev Charged for Trying to Extort his Employer

Former Ubiquiti Dev Charged for Trying to Extort his Employer

Nickolas Sharp, a former employee of networking device maker Ubiquiti, was arrested and charged today with data theft and attempting to extort his employer while posing as a whistleblower and an anonymous hacker.

“As alleged, Nickolas Sharp exploited his access as a trusted insider to steal gigabytes of confidential data from his employer, then, posing as an anonymous hacker, sent the company a nearly $2 million ransom demand,” U.S. Attorney Damian Williams said today.

“As further alleged, after the FBI searched his home in connection with the theft, Sharp, now posing as an anonymous company whistleblower, planted damaging news stories falsely claiming the theft had been by a hacker enabled by a vulnerability in the company’s computer systems.”

Also Read: A Look at the Risk Assessment Form Singapore Government Requires

Exposed by an Internet outage

According to the indictment [PDF], Sharp stole gigabytes of confidential data from Ubiquiti’s AWS (on December 10, 2020) and GitHub (on December 21 and 22, 2020) infrastructure using his cloud administrator credentials, cloning hundreds of GitHub repositories over SSH.

Throughout this process, the defendant tried hiding his home IP address using Surfshark’s VPN services. However, his actual location was exposed after a temporary Internet outage.

To hide his malicious activity, Sharp also altered log retention policies and other files that would have exposed his identity during the subsequent incident investigation.

“Among other things, SHARP applied one-day lifecycle retention policies to certain logs on AWS which would have the effect of deleting certain evidence of the intruder’s activity within one day,” the court documents read.

After Ubiquiti disclosed a security incident in January following Sharp’s data theft, while working to assess the scope and remediate the security breach effects he also tried extorting the company (posing as an anonymous hacker).

His ransom note demanded almost $2 million in exchange for returning the stolen files and the identification of a remaining vulnerability.

The company refused to pay the ransom and, instead, found and removed a second backdoor from its systems, changed all employee credentials, and issued the January 11 security breach notification.

Also Read: CCTV Law Singapore Edition: Know Your Rights and Responsibilities

Billions of dollars in losses after stock drop

After his extortion attempts failed, Sharp shared information with the media while pretending to be a whistleblower and accusing the company of downplaying the incident.

This caused Ubiquiti’s stock price to fall by roughly 20%, from $349 on March 30 to $290 on April 1, amounting to losses of over $4 billion in market capitalization.

“SHARP subsequently re-victimized his employer by causing the publication of misleading news articles about the company’s handling of the breach that he perpetrated, which were followed by a significant drop in the company’s share price associated with the loss of billions of dollars in its market capitalization,” the Department of Justice (DOJ) said.

The company confirmed on April 1 that it was the target of an extortion attempt following a January security breach with no indication that customer accounts were affected after Sharp (acting as a whistleblower) challenged his employer’s take on the breach saying that the incident’s actual impact was massive.

He also said Ubiquiti did not have a logging system thus preventing them from checking what data or systems the attacker accessed. This lines up with DOJ’s info on him tampering with the company’s logging systems.

While the DOJ didn’t name Sharp’s employer in today’s press release or the indictment, all the details perfectly align with previous info on the Ubiquiti breach and information presented in Sharp’s LinkedIn account.

Sharp is charged with four counts and is facing a maximum sentence of 37 years in prison if found guilty.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us