Security researchers recently discovered a botnet that managed to hide its operations for a good part of several months. According to them, the botnet is nothing like they have seen or studied before as it is able to make use of the most advanced hack measures in order to not only victimize millions of devices all over the globe but do so covertly.
More specifically though, the botnet makes use of the P2P or Peer-to-peer technology in order to hop from one device to another. Thus it has been given the name FritzFrog. Apparently, the botnet has managed to stay under the radar for the past 8 months or so and has actively breached millions of SSH servers.
For the uninitiated, almost every IoT (Internet of Things) device and router make use of a network protocol standard known as SSH. Other devices also make use of them and are able to form a connection with other remote machines. SSH servers don’t just have enterprise applications but also can prove useful in different consumer environments.
Guardicore Labs researchers said last Wednesday that hackers had written the software for the botnet from scratch. Because of that, the botnet showed great efficiency at infecting servers and essentially forcing them to form a P2P network.
They also mentioned that most P2P botnets are able to let infected nodes take administration duties and refrain from depending on the actual control server in order to get stolen data or launch new commands.
Generally speaking, cybersecurity experts find it hard to not only spot but shut down a botnet because of a lack of a centralized server.
Ophir Harpaz, who works as a researcher for Guardicore Labs, mentioned that the intriguing thing about the new cyberattack campaign was that at first, the team could not find the CNC or Command and Control server that the botnet was connecting to. Later, after doing a bit more research on the new botnet, they found out that the botnet did not make use of any CNC, to begin with.
As alluded to before, researchers working at Guardicore have labeled the new botnet as FritzFrog and have identified several advanced features that it makes use of to increase the damage it causes to devices and networks.
First, the botnet does not make use of the disks present in the servers that it wants to infect. Instead of doing that, it only uses in-memory payloads.
Secondly, in the last eight months or so, it has used over 20 editions of the software binary.
Thirdly, it only focuses on secure shell protocol and infects it. As mentioned before as well, Administrators usually use SSH servers to manage devices connected to the network they are responsible for.
Fourthly, the new botnet can leverage backdoor security holes in infected SSH servers.
Fifthly, it also makes use of a password/username list that are commonly used, via which it discovers login credentials that are weak. Apparently, the list it uses is more extensive than what researchers have seen other botnets use before.
Guardicore Labs researchers say that it has managed to infect millions of devices till now. Ophir also mentioned that it infected systems of a railway company and various universities located in the U.S. and Europe.
Harpaz then explained that FritzFrog executed a worm malware that the engineers of the botnet had written in Golang. Moreover, the botnet itself is multi-threaded, modular, and fileless. In other words, when it infects machines, it doesn’t leave behind any trace.
Note:As mentioned before as well, it uses the SSH public key in order to create a backdoor in infected machines which allows direct access to hackers of the said machines. The botnet also has the capability to inject machines with crypto miners.
Given the complexity and attributes of the new botnet, it should become clear that the launcher of this botnet is a very skilled individual.
Moreover, apart from the proper training, the individual must have had a tremendous amount of resources to build such an effective botnet that can not only infect machines but also stay undetected. Even when detected, the botnet has proven itself to be difficult to shut down.
Since the code base is new and the botnet has gone through several iterations so quickly while running payloads in memory only, measures such as end-point protection applications and antivirus products can’t do much to detect the malware let alone get rid of it.
Normally, cybersecurity experts working for law enforcement agencies or cybersecurity firms try to shut down the Command and Control server. But since the botnet takes advantage of the peer-to-peer technology, it is quite immune to such efforts. It also makes it hard to learn anything about the attackers since there are so many domains and control servers.
Harpaz said that the best defense under the current situation is to get rid of weak passwords that enable FritzFrog attacks. Apart from using a strong password, she also recommends using a public key authentication program that provides extra security.
Apart from that, administrators should clean the authorized_keys file from FritzFrog public key and stop attackers from getting in. Changing the SSH port that IoT devices and routers use often can also help. Disabling all SSH access to such devices when they are not in use is also a good measure against the ill-effects of this unique P2P botnet.