Ekuqaleni konyaka iindaba malunga nokufikelela okungekho mthethweni kwinethiwekhi yomenzi wezixhobo zenethiwekhi u-Ubiquiti wakhululwa, ukususela ngelo xesha abathengi baye baziswa malunga nokufikelela okungagunyaziswanga kwiinkqubo ezithile zeziseko zabo ezisetyenzisiweyo kwinethiwekhi yomnikezeli wefu wangaphandle.
Kuze kube ngulo mzuzu, ubungqina obuthe ngqo bokuvuza babucacile. ngokufikelela kwiinginginya ezithotyiweyo kwaye kwakhankanywa ukuba idatabase equlathe iiakhawunti ibinokufikelelwa kwinkonzo evumela ulawulo olukude lwezixhobo zeUniFi.
Uvimba weenkcukacha uqulethe ulwazi olufana ne-password hash, amagama, iidilesi, kunye neenombolo zefowuni yabasebenzisi be-Ubiquiti. Kwiforum yenkampani kwakucacile kwaye ngelo xesha ukubuyiswa kwekhono lokudala ii-akhawunti zendawo kwizixhobo zabo ezingaxhunywanga kwinkonzo yefu ye-Ubiquiti yayifunwa.
Kwi-firmware yangoku yezixhobo ze-Ubiquiti, lAmathuba olawulo lwesixhobo esahlukileyo aye alinganiselwa kunye nokuqinisekiswa kwinkonzo yelifu yenkampani kwakufuneka ukufikelela kwizixhobo ezitsha kunye ne-UniFi OS (kwi-firmware entsha, umsebenzi ngelifu unokukhutshazwa, oku kunokwenziwa kuphela emva kokusekwa kokuqala kwe-Unifi OS, efuna ukudibanisa kwi-akhawunti kwinkonzo yefu. ). Ukulawula izixhobo, isicelo esiphathwayo sinikezelwa esisebenzisana nesixhobo ngenkonzo yefu ye-Ubiquiti kwaye ayixhasi uxhumano oluthe ngqo ngedilesi ye-IP.
Emva kwesi siganeko, akukho nto yakhululwa ngayo, kude kube kutshanje nge-1 kaDisemba, i-FBI kunye nabatshutshisi ukusuka kwisiXeko saseNew York ubhengeze ukubanjwa kwalowo wayesakuba ngumsebenzi wase-Ubiquiti, Nickolas Sharp. Ibiyi utyholwa ngokungena ngokungekho mthethweni kwiinkqubo zekhompyuter, ubuqhetseba, ubuqhetseba ngocingo kunye nobuxoki kwi-FBI.
Ngokweprofayile ye-Linkedin (sele icinyiwe), USharpe wayeyinkokeli yeqela lelifu e-Ubiquity kude kube ngu-Epreli ka-2021, kwaye ngaphambi koko wabamba izikhundla eziphezulu zobunjineli kwiinkampani ezifana ne-Amazon kunye ne-Nike. Ngokwe-ofisi yomtshutshisi, U-Sharpe urhanelwa ngokusebenzisa ngokungekho mthethweni isikhundla sakhe esisemthethweni kwaye, ngenxa yoko, ukufikelela kulawulo kwiinkqubo zekhompyuter ze-Ubiquiti, ihlanganiswe malunga ne-150 yokugcina iakhawunti yakhe yeGitHub kwikhompyuter yakhe yasekhaya ngoDisemba 2020. Ukufihla idilesi yakhe ye-IP, uSharpe wasebenzisa inkonzo yeSurfshark yeVPN. Nangona kunjalo, emva kokuqhawula ngengozi uqhagamshelo kwi-ISP yakhe, idilesi ye-IP yasekhaya yaseSharpe "yakhanyisa" kwiilogi zokufikelela.
NgoJanuwari 2021, sele ililungu leqela eliphanda esi "siganeko", U-Sharp uthumele ileta engaziwa kwi-Ubiquiti efuna intlawulo ye-bitcoins ye-50 (~ $2 yezigidi) ukutshintshiselana ngokuthula kunye nokubhengezwa kobuthathaka ekutyholwa ukuba ufikelelo lufunyenwe. Xa u-Ubiquiti wenqaba ukuhlawula, u-Sharpe wapapasha ezinye zeedatha ezibiweyo nge-Keybase. Kwiintsuku ezimbalwa emva koko, wafomatha idiski yelaptop, apho wadibanisa idatha kwaye wahambelana nenkampani.
NgoMatshi ka-2021, iiarhente ze-FBI zagqogqa iSharpe kwaye zabamba "izixhobo zombane" ezininzi. Ngexesha lokukhangela, uSharpe wakhanyela ukusebenzisa iSurfshark's VPN, kwaye xa enikezelwe ngamaxwebhu abonisa ukuba uthenge umrhumo weenyanga ezingama-27 apho ngoJulayi ka-2020, wathi kukho umntu ongene kwiakhawunti yakhe yePayPal.
Kwiintsuku ezimbalwa emva kohlaselo lwe-FBI, USharpe uqhagamshelane noBrian Krebs, intatheli yokhuseleko lolwazi eyaziwayo, kwaye wamnika "ngaphakathi" kwisiganeko sase-Ubiquiti eyapapashwa ngo-Matshi 30, 2021 (kwaye isenokuba sesinye sezizathu zokuhla kwezabelo ze-Ubiquiti ezilandelayo ze-20%. Iinkcukacha ezithe kratya zinokufumaneka kwisicatshulwa sesimangalo.
Gqibela Ukuba unomdla wokwazi okungakumbi ngayo, ungajonga iinkcukacha Kule khonkco ilandelayo.