The discovery of a new botnet is always bad news. But in cases like FritzFrog, and from what we can assume when reading what was published by the security firm Guardiacore Labs, in this particular case we are talking about a very serious, unusually venerable threat, detected a few months ago by the technicians of the company and that, despite this, has been able to continue operating "under the radar" all these months.
The Company's Technicians Summarize Fritzfrog in These Points:
Golang-based malware: FritzFrog runs a modular, Golang-based Trojan-type malware that splits its activity into multiple threads and, importantly, does not use files, allowing it to operate without leaving a trace on the computer's hard drive. infected system.
Objectives:
It seems to be actively targeting government entities, the education sector, the financial sector, and more. FritzFrog uses brute force to try to spread to tens of millions of IP addresses of government offices, educational institutions, medical centers, banks, and numerous telecommunications companies. With these attacks it has managed to infect, that have been identified, at least 500 servers, among which are those of some prestigious universities in Europe and the United States, as well as a railway company (not to be confused with REvil's attack on ADIF of ago some weeks).
Sophistication:
FritzFrog is completely proprietary; Its P2P implementation was written from scratch, which indicates that the actors responsible for the botnet are highly professional software developers or, at least, that they have a staff of this type, both in the initial phase of the same and in its more than constant evolution (we will talk about this point later).
It is interesting that we analyze some of these points, in addition to expanding them with more information that is extracted from Guardiacore Tech research. Without a doubt, the most remarkable thing is the sophistication of FritzFrog, which we can summarize in two key aspects: P2P distribution and non-use of the hard drives of the affected systems. The first point because it greatly hinders the identification of those responsible. The absence of a command and control server also prevents compromising its operation with techniques such as DNS Sinkhole.
The second point, the absence of files on disk is another very intelligent measure of those responsible for FritzFrog since some security solutions focus on the analysis of the files stored on a said medium, not paying as much attention to what happens in memory. And, as a general rule, the common thing is that when malware reaches a system, the first thing it does is deposit its payload on disk, and from there it starts working. This is not the case, and it shows that your developers know very, very well what they are doing.
Another remarkable aspect of FritzFrog is that, as mentioned above, it is constantly evolving. Once the network was detected, and in the process of investigating it, the security technicians detected that at least 20 different versions of the malware have been used since January. We talk about more than two versions per month, which invites us to think that FritzFrog is constantly evolving and improving.
For brute force attacks, FritzFrog focuses on servers with SSH, testing a very wide list of insecure credential combinations (one more reminder of how important it is to protect privileged access ). In this regard, it seems that the lists used by this botnet are more extensive than those seen so far in other networks of this type. Another example of the professionalism with which these cybercriminals have developed and manage this network.
Once installed, the FritzFrog payload can run 30 commands to launch scripts and to download databases, logs, and files, among other possibilities. To bypass the control of firewalls and other security elements, all communications are channeled through SSH accesses (hence the interest of those responsible in detecting insecure credentials of this type of accounts on servers.
Another very important aspect is that, upon arriving at a system, FritzFrog adds a public key to the server's key file. In this way, even if the system administrator changes the password, this certificate acts as a back door that, in combination with the private key, held by cybercriminals, will allow them to continue accessing the server even if they no longer have the credentials with which they managed to access at first.
What Can We Do for Protection Against FritzFrog?
A few things: First, if your security solution only looks for ports and protocols, you need to up your game and find a better product that can scan for more sophisticated attacks and processes as complete security.
Second, if you are not already using MFA to strengthen your password collection, particularly among your development team, now is the time to get involved.
Finally, you need to make sure that the encryption keys used by FritzFrog are not part of your authorized key collections, because that would indicate that it has already penetrated your network.
Comments
Post a Comment