Experts Insight On FritzFrog botnet targeting millions of servers, including government agencies and banks

Researchers have found what they believe is a previously undiscovered botnet that uses unusually advanced measures to covertly target millions of servers around the world. The botnet uses proprietary software written from scratch to infect servers and corral them into a peer-to-peer network, researchers from security firm Guardicore Labs reported on Wednesday. The botnet, which Guardicore Labs researchers have named FritzFrog, has a host of other advanced features, including:

  • In-memory payloads that never touch the disks of infected servers
  • At least 20 versions of the software binary since January
  • A sole focus on infecting secure shell, or SSH, servers that network administrators use to manage machines
  • The ability to backdoor infected servers
  • A list of login credential combinations used to suss out weak login passwords that are more “extensive” than those in previously seen botnets

Administrators who don’t protect SSH servers with both a strong password and a cryptographic certificate may already be infected with malware that’s hard for the untrained eye to detect.

Experts Comments

August 28, 2020
Ophir Harpaz
Security Researcher
Guardicore
When comparing the amount of code dedicated to the miner, with that of the P2P and the worm (“cracker”) modules - we can confidently say that the attackers are much more interested in obtaining access to breached servers then making profit through Monero. These access to and control over SSH servers can be worth much more money than spreading a cryptominer, especially when taking into account the type of targets we witnessed. Additionally, it is possible that FritzFrog is a.....Read More
When comparing the amount of code dedicated to the miner, with that of the P2P and the worm (“cracker”) modules - we can confidently say that the attackers are much more interested in obtaining access to breached servers then making profit through Monero. These access to and control over SSH servers can be worth much more money than spreading a cryptominer, especially when taking into account the type of targets we witnessed. Additionally, it is possible that FritzFrog is a P2P-infrastructure-as-a-service; since it is robust enough to run any executable file or script on victim machines, this botnet can potentially be sold in the darknet and be the genie of its operators, fulfilling any of its malicious wishes, e.g. malware distribution.  Read Less
August 25, 2020
Niamh Muldoon
Senior Director of Trust and Security EMEA
OneLogin
This latest discovery of botnets running undetected on servers is a terrifying prospect, particularly considering the wild west that IoT devices operate in with regards to the general standards of security more traditional devices are held to. The key lesson to remember Defence in Depth. By this we mean Securing the posture of the technology device trying to connect, validating the identity of end-user using strong multi-factor authentication and availing of enhanced multi-factor authentication .....Read More
This latest discovery of botnets running undetected on servers is a terrifying prospect, particularly considering the wild west that IoT devices operate in with regards to the general standards of security more traditional devices are held to. The key lesson to remember Defence in Depth. By this we mean Securing the posture of the technology device trying to connect, validating the identity of end-user using strong multi-factor authentication and availing of enhanced multi-factor authentication prior to the authorization of high-privilege actions in applications such as running large reports for customer data and/or downloading customer data. This reduces the risk of attack by increasing the complexity of the exploit for the malicious attacker, as they must gain access to multiple authentication factors such as password, token and/or certificates and generally speaking, they have a short period of time to do this prior to the authentication attempt expiring.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Share on facebook
Share on twitter
Share on linkedin

Recent Posts

Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics

Twitter Facebook-f Linkedin Youtube

Working With Us

The Pages

Our Contributing Experts