Experts Insight On FritzFrog botnet targeting millions of servers, including government agencies and banks

By   ISBuzz Team
Writer , Information Security Buzz | Aug 25, 2020 03:02 am PST

Researchers have found what they believe is a previously undiscovered botnet that uses unusually advanced measures to covertly target millions of servers around the world. The botnet uses proprietary software written from scratch to infect servers and corral them into a peer-to-peer network, researchers from security firm Guardicore Labs reported on Wednesday. The botnet, which Guardicore Labs researchers have named FritzFrog, has a host of other advanced features, including:

  • In-memory payloads that never touch the disks of infected servers
  • At least 20 versions of the software binary since January
  • A sole focus on infecting secure shell, or SSH, servers that network administrators use to manage machines
  • The ability to backdoor infected servers
  • A list of login credential combinations used to suss out weak login passwords that are more “extensive” than those in previously seen botnets

Administrators who don’t protect SSH servers with both a strong password and a cryptographic certificate may already be infected with malware that’s hard for the untrained eye to detect.

Notify of
2 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Ophir Harpaz
Ophir Harpaz , Security Researcher
August 28, 2020 4:49 pm

When comparing the amount of code dedicated to the miner, with that of the P2P and the worm (“cracker”) modules – we can confidently say that the attackers are much more interested in obtaining access to breached servers then making profit through Monero. These access to and control over SSH servers can be worth much more money than spreading a cryptominer, especially when taking into account the type of targets we witnessed.

Additionally, it is possible that FritzFrog is a P2P-infrastructure-as-a-service; since it is robust enough to run any executable file or script on victim machines, this botnet can potentially be sold in the darknet and be the genie of its operators, fulfilling any of its malicious wishes, e.g. malware distribution.

Last edited 3 years ago by Ophir Harpaz
Niamh Muldoon
Niamh Muldoon , Senior Director of Trust and Security EMEA
August 25, 2020 11:21 am

This latest discovery of botnets running undetected on servers is a terrifying prospect, particularly considering the wild west that IoT devices operate in with regards to the general standards of security more traditional devices are held to. The key lesson to remember Defence in Depth. By this we mean Securing the posture of the technology device trying to connect, validating the identity of end-user using strong multi-factor authentication and availing of enhanced multi-factor authentication prior to the authorization of high-privilege actions in applications such as running large reports for customer data and/or downloading customer data. This reduces the risk of attack by increasing the complexity of the exploit for the malicious attacker, as they must gain access to multiple authentication factors such as password, token and/or certificates and generally speaking, they have a short period of time to do this prior to the authentication attempt expiring.

Last edited 3 years ago by Niamh Muldoon

Recent Posts

Would love your thoughts, please comment.x