Network Security, Content

FritzFrog Botnet Breached 500 SSH Servers Since January 2020

Ophir Harpaz, security researcher, Guardicore
Ophir Harpaz, security researcher, Guardicore

Guardicore, an Israeli data center and cloud security provider, has discovered a unique, peer-to-peer (P2P) botnet that has breached secure shell servers (SSH) in the government, education and financial sectors since the beginning of 2020.

Part of what makes the malware--dubbed FritzFrog and written in the open source Go language--a one-off is that it is proprietary and written from scratch, it’s modular, multi-threaded and fileless and leaves no trail on infected machines, according to Guardicore, which has found 20 different versions of the malware executable.

To date, it has successfully infiltrated some 500 servers through brute force attacks and spread to “tens of millions” of IP addresses in government agencies, educational institutions, medical facilities, financial firms and telecoms, Ophir Harpaz, a Guardicore security researcher, said in a blog post.

FritzFrog Botnet: More Activity Details

So far, the FritzFrog botnet hasn’t been tied to a specific hacking group but it bears some “resemblance to a previously-seen P2P botnet named Rakos,” Harpaz said. “FritzFrog has a special combination of properties, which makes it unique in the threat landscape,” she said, referring to the worm as “new generation.” Here’s why:

  • Fileless: FritzFrog operates with no working directory, and file transfers are done in-memory using blobs.
  • Constantly updating: Databases of targets and breached machines are exchanged seamlessly.
  • Aggressive: Brute-force is based on an extensive dictionary.
  • Efficient: Targets are evenly distributed among nodes.
  • Proprietary: The P2P protocol is completely proprietary, relying on no known P2P protocols.

Guardicore said it first noticed FritzFrog on January 9, when new attacks appeared executing malicious processes named ifconfig and nginx. The security specialist subsequently saw activity spike to some 13,000 attacks on its Global Sensors Network (GGSN). “What was intriguing about this campaign was that, at first sight, there was no apparent command and control server being connected to,” Harpaz wrote. “It was shortly after the beginning of the research when we understood no such CNC existed in the first place.”

FritzFrog Botnet: Attack Mitigation Strategies

Guardicore issued four key recommendations to impede FritzFrog attacks:

  • Choose strong passwords and use public key authentication.
  • Remove FritzFrog’s public key from the authorized_keys file, preventing the attackers from accessing the machine.
  • Consider changing routers’ and IoT devices’ SSH port or completely disabling SSH access to them if the service is not in use.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.