As if I need another reason not to recommend Ubiquiti...
Yes, Kreb's reporting wasn't great and he should have retracted the original article once the facts came out, but I don't think being a bad journalist is something you take someone to court for.
You could argue they have reason to sue because this reporting can impact their reputation and business when it seems the information was found false enough to retract. However it would’ve been better to let this one pass, because now they just look worse.
This could backfire on Ubiquiti - considering Krebs stellar reputation already, that if it does go to court, and they rule in Krebs favor, it becomes even more devasatating to winning any further Enterprise market contracts.
It could kill Ubiquiti on all enterprise deals with "cybersecurity business risk" factors each enterprise ways before making decisions.
Krebs does not really have a stellar reputation. He seems to enjoy doxxing random people who criticize him.[1]
He generally does good work but the thing he's being sued over was an example of lazy journalism. I would expect a seasoned journalist to actually verify the claims being fed to them rather than regurgitating things blindly. He didn't do that in this case it seems, instead buying the story he was being (figuratively) sold completely and not bothering to do any checking.
Ubiquiti might not be doing themselves favors in PR here but if they have actual proof that he knew they were not covering it up, and there's provable damages this won't go the way people want. That's going to be a really high bar for them to clear though, barring them responding directly to a request for comment with "no absolutely not we're investigating and will release details later" or something to that effect.
Defamation suits on this scale are difficult, just look at what's been happening with Fox's election system related lawsuits[2] -- judges keep ruling against them on requests for dismissal. They may not ultimately lose any of these cases based on the facts but they also have the resources to make that a lengthy journey, where I don't think Krebs does.
> Yes, Kreb's reporting wasn't great and he should have retracted the original article once the facts came out,
I mean, his source wasn't great, but the fact is that they were suffering a breach. The fact that the breach was an undetected insider hardly makes things better.
While there have been remote exploits against exposed management ports, the vast majority of compromised Mikrotik devices are caused by insecure configurations by users. Mikrotik is huge in the smaller ISP world and especially in developing countries due to the low cost, but those users are not always the most security conscious.
The linked article from Microsoft goes into some detail about the vulnerability in Mikrotik that was being used, and there are many other examples of this happening. Weak creds are also an issue, but their software is pretty buggy from a security standpoint. If you run Mikrotik gear exposed to the public internet, I hope you have good logging and are keeping a sharp eye on it.
Now hang on, the linked article mentions how a Mikrotik with compromised creds can be used as a C2 (as can most routers), and goes on to list the primary methods of compromise:
Default creds (configuration issue)
Common creds via bruteforce (configuration issue)
Exploit of CVE-2018-14847 (4 year old patched vulnerability).
All of the methods mentioned require local network access in a default configuration. None of these are issues from the public internet.
If you have lateral movement within most networks, you're already likely to have the ability to route and disguise traffic and use the network as a relay point.
I am interested to read of your "many other examples". I'm yet to see a serious network gear vendor without big vulnerabilities to their name. From memory, Cisco had about 4 backdoor root accounts found and CVE'd in 2018 alone.
My exposure to Mikrotik is that you need to download some windows executable to speak some bespoke protocol to perform configuration of the device (specifically for RouterOS)? Is that true?
I've got some of their switches running SwitchOS, which is great, but my minute exposure to winbox has thoroughly put me off anything that uses RouterOS.
You can do everything through web interface called "WebFig" (or even SSH console), but honestly Winbox MDI is much more convenient. I think only Winbox-exclusive feature is connecting through Ethernet packets (without IP).
(1) SSH into you box for shell and use the command line interface
(2) Use the comprehensive web interface
(3) use the shell tool in the web interface
(4) use wine to run the client
Brian Krebs is more than a bad journalist. He harms people and companies for his own gain. I have never heard of ubiquiti, except here on hn, but I think they're completely right in suing him.
Yes, Kreb's reporting wasn't great and he should have retracted the original article once the facts came out, but I don't think being a bad journalist is something you take someone to court for.