Cybersecurity News & Commentary - April 2019

The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary from its researchers about topics in the news over the past month, what wasn't written between the lines, the big (and sometimes nagging) questions driving our research, and new projects underway.


April, 2019

 

Geopolitics of IGF

This year’s Canadian IGF was quite nostalgic. Its approach was similar to some of the past United Nations Internet Governance Forum. A couple of years ago at the UN Internet Governance Forum, the narrative that shaped the human rights discussions was more about our rights on the Internet than the Internet threatening our rights. It was about how we used the Internet to the benefit of humankind and how its governance enabled Internet users to communicate and use information services on the Internet regardless of the geopolitical tensions. Those days are gone, as the UN IGF has been turned into a battle of states and stakeholders wanting to regulate the Internet to prevent us from being harmed and protecting our rights. Perhaps the UN IGF needs to revisit its approach by learning from Canada IGF.

IISP Analyst Farzaneh BadieiThe Canadian IGF was a breath of fresh air in terms of reminding the Internet community that by using the Internet they transcended borders and brought the most isolated users a form of communication that dominates many aspects of our life today. While the sessions did not deny the problems, and in fact the final session was about Internet control and challenges that the Internet faced, there was no cyber-doomsday narrative dominating the discussions. They were rational actors discussing problems, and considering solutions.

Byron Holland from the Canadian Internet Registration Authority (CIRA) told us that we ought to find solutions for the problems we face on the Internet but also consider how these solutions affect our freedom and freedom of speech. Not having lost his optimism about the Internet, Byron invited us to think about how to bring the other 3 billion online (and not only Canadians). The keynote delivered by Tucows CEO, Elliot Noss started with an old but perhaps timelier than ever message, that the Internet is a post-nation technology, it is transnational and it should be kept that way. He also warned us against fear mongering when it comes to global technology with a lot of potentials. He asked the Canadians to stand up and shape policies and governance mechanisms regarding the Internet in the Internet global community.

During the panel on Canada’s role in the future of Internet governance, it was mentioned that States are increasingly regulating the Internet and as a result, its global interoperability might be endangered.  An interesting interaction regarding the extraterritorial impact of regulations took place when Marie Aspiazu of Open Media asked the panel whether people from outside Europe have the right to be concerned about regulations that affect the Internet globally, such as the EU Copyright Directive. Konstantinos Komaitis of ISOC, who has been working on unintended consequences of extraterritorial regulations, responded: “hellz yeah, you have the right to be concerned and you should be.”  

The divide between the Internet governance community and the governmental cybersecurity agencies that frame many cybersecurity issues as a national security issue was also mentioned as a threat to multistakeholder, bottom-up processes of Internet governance.

As to the role of Canada in the future of Internet governance, the Canadian Internet community and its various stakeholders at least declare the importance of respecting rights on the Internet and some in practice show us better than others that they practice what they preach. With a “post-national” approach to Internet governance, Canadian stakeholders could be the initiators of novel processes for Internet governance. They are in a strategic position as comparatively more rational actors, to help initiate multistakeholder Internet governance processes globally and bring the world together to preserve the global, interoperable nature of the Internet.

Source:

Our original 2016 commentary: https://iisp.gatech.edu/mirai-ddos-proves-earliest-tricks-still-thrive

A 2017 update that we wrote on a Mirai variant: https://iisp.gatech.edu/new-malware-preys-linux-based-iot-devices-default-passwords

A recent (March, 2019) report on new variants: https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/


 
Almost Three Years Later, the Mirai Botnet Remains Alive and Well

According to a recent report by Palo Alto Networks, the Mirai botnet, which originally emerged in 2016, continues to spread to IoT and enterprise computers using new attack vectors against new devices.  Because the malware is open source, malicious actors have improved Mirai to thwart countermeasures and to adapt to the changing IoT landscape.  The latest variants of Mirai use a variety of remote code execution bugs to spread, and spread to things as diverse as televisions, video cameras, and small routers.

IISP Analyst Joel OdomSometimes it's informative to look back on yesterday's news to find out where a story went after it left the limelight.  In the fast-paced world of cybersecurity it is important to keep up with the latest threats and defenses, but we also see a pattern where old techniques and threats live for years after they first break.  The Mirai botnet, which emerged in 2016, not only continues to be an active cyber threat, but it has evolved in interesting ways over the last several years.  As Georgia Tech's Institute for Information Security and Privacy News Center originally reported back in 2016, Mirai works by using default user names and passwords to take control of IoT devices.  This simple attack technique is decades old, but it still works in a surprising number of cases, especially in the IoT world, which is still learning the lessons that the enterprise OS world learned years ago.

 Since its release as open source malware, Mirai has evolved beyond using a list of user names and passwords.  Evolved mechanisms that the botnet uses to spread include remote code execution attacks against different kinds of IoT devices and the use of a well-known Apache Struts vulnerability.  This indicates that Mirai has been taught to spread via enterprise systems as well as via IoT devices.  It also shows that as product vendors deploy better security measures, attackers are ready to step up their game with new exploits waiting to keep their malware active.

 Poor product security can continue to haunt a manufacturer and its customers for years after the sale.  Security pundits may make this point ad nauseam, but product owners are unlikely to prioritize security as long as it doesn't impact them directly once their product leaves the store shelf.

 It took decades for enterprise application and operating system developers to implement the best practices that we have today.  IoT security is still playing catch up.  The shining star is the mobile ecosystem, which recognized the necessity of solid security from the start, and which has done a fairly solid job of security overall.

Source:

Our original 2016 commentary: https://iisp.gatech.edu/mirai-ddos-proves-earliest-tricks-still-thrive

A 2017 update that we wrote on a Mirai variant: https://iisp.gatech.edu/new-malware-preys-linux-based-iot-devices-default-passwords

A recent (March, 2019) report on new variants: https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/


 
Dr. Web May Be Operating in Your Gaming Console 

The Russian cybersecurity company Dr. Web detected a botnet for Counter-Strike 1.6, a popular video game. Counter-Strike 1.6 is a game that was released by Valve Corporation almost 20 years ago and maintains a daily player base of tens of thousands. To promote a business of leasing game servers, a piece of malware (called Belonard) exploits vulnerabilities in the game client for the purpose of enticing users to connect to particular game servers. In addition, once a host is infected, the victim host is used to spread the malware.

IISP Analyst Kennon BittickThe fact that the game is so old is worth noting. It is rare for software of any kind to be maintained 20 years after initial release, and doing so is always a challenge. However, tens of thousands of people are still using this software today and are at risk. It is not clear whether Valve Corporation has a responsibility to fix this bug or not and, more generally, what responsibility maintainers have to fix vulnerabilities in legacy software. In this specific case, it appears that Valve intends to fix the bug.

 

Another interesting aspect of this story is that a video game was both the method of propagation of the malware, and the financial reason for the malware. Video games, especially online video games, are large pieces of complex software involving multiple parties communicating over a network. Like with other software, care must be given when parsing data from the network, as this is common place for vulnerabilities; the exact nature of the vulnerability used in this malware was not disclosed, but it is likely that it exists in the network parsing. Despite the fact that video games have many hallmarks of vulnerable code (complex, networking software written in an unsafe language like C or C++), they are often not designed with security in mind, which can lead to serious issues compromising the safety of users.

 

The malware targets a video game for financial gain, which is unusual because video games are not generally seen as a lucrative market for attackers. This may be changing with the recent successes of multiplayer titles like Minecraft and Fortnite, but certainly it is unusual for a 20-year-old game. The business model of the malware mirrors that of more traditional targets of cybercrime. In Counter-Strike, it is possible for anyone to run a game server. Administrators of these servers want to attract as many users as possible, much like the owner of a website. To do so, server operators can pay the malware author to boost the priority of the server as seen by players. This mirrors black hat search engine optimization schemes, which use malware or other malicious practices to boost the popularity of websites on search engines. Mainstream trends in cybercrime are migrating to non-traditional targets, and it is worth watching to see how cybercrime expands to include games and legacy systems.

Source:

https://www.zdnet.com/article/malicious-counter-strike-1-6-servers-used-zero-days-to-infect-users-with-malware/

https://st.drweb.com/static/new-www/news/2019/march/belonard_trojan_en.pdf