Researchers have found what they believe is a previously undiscovered botnet that uses unusually advanced measures to covertly target millions of servers around the world. The botnet uses proprietary software written from scratch to infect servers and corral them into a peer-to-peer network, researchers from security firm Guardicore Labs reported on Wednesday. The botnet, which Guardicore Labs researchers have named FritzFrog, has a host of other advanced features, including:
- In-memory payloads that never touch the disks of infected servers
- At least 20 versions of the software binary since January
- A sole focus on infecting secure shell, or SSH, servers that network administrators use to manage machines
- The ability to backdoor infected servers
- A list of login credential combinations used to suss out weak login passwords that are more “extensive” than those in previously seen botnets
Administrators who don’t protect SSH servers with both a strong password and a cryptographic certificate may already be infected with malware that’s hard for the untrained eye to detect.
When comparing the amount of code dedicated to the miner, with that of the P2P and the worm (“cracker”) modules – we can confidently say that the attackers are much more interested in obtaining access to breached servers then making profit through Monero. These access to and control over SSH servers can be worth much more money than spreading a cryptominer, especially when taking into account the type of targets we witnessed.
Additionally, it is possible that FritzFrog is a P2P-infrastructure-as-a-service; since it is robust enough to run any executable file or script on victim machines, this botnet can potentially be sold in the darknet and be the genie of its operators, fulfilling any of its malicious wishes, e.g. malware distribution.
This latest discovery of botnets running undetected on servers is a terrifying prospect, particularly considering the wild west that IoT devices operate in with regards to the general standards of security more traditional devices are held to. The key lesson to remember Defence in Depth. By this we mean Securing the posture of the technology device trying to connect, validating the identity of end-user using strong multi-factor authentication and availing of enhanced multi-factor authentication prior to the authorization of high-privilege actions in applications such as running large reports for customer data and/or downloading customer data. This reduces the risk of attack by increasing the complexity of the exploit for the malicious attacker, as they must gain access to multiple authentication factors such as password, token and/or certificates and generally speaking, they have a short period of time to do this prior to the authentication attempt expiring.