FritzFrog Botnet Strikes Back Exploiting Log4Shell Vulnerability
A new variant of the sophisticated botnet “FritzFrog” has emerged, leveraging the Log4Shell vulnerability for propagation. Despite more than two years passing since the Log4j flaw was discovered, attackers continue to exploit it effectively due to many organizations neglecting to patch their systems. Notably, the botnet appears to target seemingly secure sections of internal networks where patches may be lacking.
Understanding FritzFrog Botnet
Initially identified by Guardicore (now part of Akamai) in August 2020, FritzFrog operates as a peer-to-peer (P2P) botnet, primarily targeting internet-facing servers with weak SSH credentials. The Log4Shell vulnerability (CVE-2021-44228), which gained widespread attention due to its critical nature, is now being exploited by FritzFrog as a secondary infection vector. Unlike its previous strategies that focused on targeting internet-facing servers, this variant takes aim at internal hosts within compromised networks. This shift underscores the importance of comprehensive patch management practices, as even seemingly less vulnerable internal systems can become prime targets for exploitation.
One of the noteworthy enhancements of this variant is that it identifies potential targets with vulnerabilities within the network by analyzing system logs on compromised hosts. This implies that despite patching internet-facing applications, any breach of other endpoints can still leave unpatched internal systems vulnerable to exploitation, facilitating the spread of the malware. Additionally, the malware now exploits the PwnKit vulnerability (CVE-2021-4034) for local privilege escalation, further enhancing its persistence and reach.
Moreover, FritzFrog botnet employs evasion tactics to evade detection, including minimizing its footprint by avoiding file drops to disk whenever possible. By utilizing shared memory locations and executing memory-resident payloads, it maintains a stealthy presence that poses challenges for detection and mitigation efforts.
Akamai, a leading web infrastructure and security company, has dubbed this latest activity as Frog4Shell, highlighting the convergence of FritzFrog’s capabilities with the Log4Shell exploit. By exploiting unpatched internal machines, FritzFrog capitalizes on the tendency to prioritize patching internet-facing servers, leaving internal systems potentially exposed and vulnerable.
As FritzFrog botnet continues to evolve, organizations across various sectors, including healthcare, education, and government, must remain vigilant and prioritize cybersecurity measures to thwart emerging threats effectively.
The sources for this article include a story from TheHackerNews.