Expert Comments

Experts Insight On FritzFrog botnet targeting millions of servers, including government agencies and banks

Expert(s): Security Experts
Expert(s): Security Experts

Researchers have found what they believe is a previously undiscovered botnet that uses unusually advanced measures to covertly target millions of servers around the world. The botnet uses proprietary software written from scratch to infect servers and corral them into a peer-to-peer network, researchers from security firm Guardicore Labs reported on Wednesday. The botnet, which Guardicore Labs researchers have named FritzFrog, has a host of other advanced features, including:

  • In-memory payloads that never touch the disks of infected servers
  • At least 20 versions of the software binary since January
  • A sole focus on infecting secure shell, or SSH, servers that network administrators use to manage machines
  • The ability to backdoor infected servers
  • A list of login credential combinations used to suss out weak login passwords that are more “extensive” than those in previously seen botnets

Administrators who don’t protect SSH servers with both a strong password and a cryptographic certificate may already be infected with malware that’s hard for the untrained eye to detect.

Experts Comments

August 28, 2020
Ophir Harpaz
Security Researcher
Guardicore
When comparing the amount of code dedicated to the miner, with that of the P2P and the worm (“cracker”) modules - we can confidently say that the attackers are much more interested in obtaining access to breached servers then making profit through Monero. These access to and control over SSH servers can be worth much more money than spreading a cryptominer, especially when taking into account the type of targets we witnessed. Additionally, it is possible that FritzFrog is a.....Read More
When comparing the amount of code dedicated to the miner, with that of the P2P and the worm (“cracker”) modules - we can confidently say that the attackers are much more interested in obtaining access to breached servers then making profit through Monero. These access to and control over SSH servers can be worth much more money than spreading a cryptominer, especially when taking into account the type of targets we witnessed. Additionally, it is possible that FritzFrog is a P2P-infrastructure-as-a-service; since it is robust enough to run any executable file or script on victim machines, this botnet can potentially be sold in the darknet and be the genie of its operators, fulfilling any of its malicious wishes, e.g. malware distribution.  Read Less
August 25, 2020
Niamh Muldoon
Senior Director of Trust and Security EMEA
OneLogin
This latest discovery of botnets running undetected on servers is a terrifying prospect, particularly considering the wild west that IoT devices operate in with regards to the general standards of security more traditional devices are held to. The key lesson to remember Defence in Depth. By this we mean Securing the posture of the technology device trying to connect, validating the identity of end-user using strong multi-factor authentication and availing of enhanced multi-factor authentication .....Read More
This latest discovery of botnets running undetected on servers is a terrifying prospect, particularly considering the wild west that IoT devices operate in with regards to the general standards of security more traditional devices are held to. The key lesson to remember Defence in Depth. By this we mean Securing the posture of the technology device trying to connect, validating the identity of end-user using strong multi-factor authentication and availing of enhanced multi-factor authentication prior to the authorization of high-privilege actions in applications such as running large reports for customer data and/or downloading customer data. This reduces the risk of attack by increasing the complexity of the exploit for the malicious attacker, as they must gain access to multiple authentication factors such as password, token and/or certificates and generally speaking, they have a short period of time to do this prior to the authentication attempt expiring.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.
SUBMIT

You may also like

IKEA Suffering Ongoing “Reply-Chain” Email Attack

Cybersecurity Expert Reaction On UK’s Financial Regulator Scraps 90-day Authentication...

DNA Testing Firm Discloses Data Breach Affecting 2.1 Million People

Panasonic Becomes Latest Victim Of Data Breach – Security Expert...

Clearview’s £17 Million Fine For Processing 10+ Billion Images Is...

Booz Allen Report On CISOs And China Quantum Computing Risks,...

Experts Reactions On Sky Broadband Hack Warning

Ransomware Set To Break Records This Black Friday 2021

Security Expert On Apple Suing NSO Group

Meta Delays Plans To Rollout End-to-end Encryption

Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics

Twitter Facebook-f Linkedin Youtube

Working With Us

The Pages

Our Contributing Experts