CyberWire Daily - Hackers come hopping back. [Research Saturday]
Episode Date: February 17, 2024Ori David from Akamai is sharing their research "Frog4Shell — FritzFrog Botnet Adds One-Days to Its Arsenal." FritzFrog takes advantage of the fact that only internet facing applications were priori...tized for Log4Shell patching and targets internal hosts, meaning that a breach of any asset in the network by FritzFrog can expose unpatched internal assets to exploitation. The research states "FritzFrog has traditionally hopped around by using SSH brute force, and has successfully compromised thousands of targets over the years as a result." Over the years Akamai has seen more than 20,000 FritzFrog attacks, and 1,500+ victims. The research can be found here: Frog4Shell — FritzFrog Botnet Adds One-Days to Its Arsenal Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in our rapidly evolving cyberspace.
Thanks for joining us.
So, FritzFrog is a botnet that we have been tracking since 2020.
Akamai originally discovered it, and we're tracking it ever since.
And a few months ago, when we inspected the code,
we have noticed some very interesting additions,
mainly the Log4Shell addition.
That's Ori David, a security researcher at Akamai.
The research we're discussing today is titled Frog4Shell.
FritzFrog botnet adds one-days to its arsenal.
Well, let's back up a little bit and talk about FritzFrog.
What's the history of this particular botnet?
How did it begin and who were they targeting over the years?
So, as I said before, we've seen FritzFrog since 2020 being active.
And its traditional targets were vulnerable SSH servers.
So SSH servers exposed to the internet with weak credentials
that FritzFrog brute-forced and took control over.
So it didn't target any specific industry.
It simply scanned the internet, identified SSH servers, and attempted to brute force them.
And what was the FritzFrog botnet
then used for? Who did they aim it at?
Like I said before, it's not targeted, but rather their
motivation is purely financial. They would compromise as many
machines as possible.
And then they would use those machines to mine Monero.
And there's actually an interesting feature
for FritzFrog,
where they have an antivirus module.
They know that the machines that they compromise
very often have additional malware installed on it
because, well, it's an SSH box with a weak password exposed to the internet.
And because of that, they identify competing malware that consumes a lot of CPU
and simply terminates them.
And then they have all of the CPU for themselves.
Yeah, it's a mixed blessing, I guess, right?
It's an interesting approach.
Well, let's dig into the updates that you all tracked here.
I mean, they started using Log4Shell as an infection vector here.
Before we dig into how FritzFrog is using that,
can you give us just a quick reminder of what we're talking about with Log4Shell?
So Log4Shell rocked the world two years ago
at the end of 2021.
It was a very high-profile vulnerability
and for a good reason.
It was a vulnerability in a Java library
called Log4J.
It is a logging library, which is
very commonly used by Java applications.
And what the vulnerability was, by
getting the application to log a specific payload,
attackers could get the Java application to
download a malicious Java class and execute it.
So in a very simple manner,
they could get a code execution
on all sorts of Java applications across the world.
Like I said before, the library was very commonly used
and the exploitation was very, very simple.
You simply need to get a line logged into a log file by the application,
and that's it. You get code execution.
So Log4Shell was a really big deal for another reason,
and that is it is really hard to patch.
So let's say we have our, I don't know, traditional code execution vulnerability,
let's say in Windows Server.
It's pretty easy to determine if you're vulnerable.
You'll check your Windows machines and you'll see if your version is affected.
With Log4Shell, because the vulnerability was in a Java library,
it was not as trivial to know if an application is vulnerable
or even harder to tell if a machine is vulnerable.
This made Log4Shell extremely hard to patch.
And so where does that leave us today?
I mean, you mentioned that after Log4Shell,
there was a real flurry of patching,
but I suppose there's still plenty of systems that are left vulnerable?
Yes. So the initial
discovery of log for shell led to really
a month-long or months-long frenzy of
patching where everyone was trying to identify where they are
using log for J and what applications,
third-party applications that they use, use Log4j.
And during this initial frenzy,
some applications received more attention than others.
So obviously, applications that were exposed to the internet
were prioritized. So anything that were exposed to the internet were prioritized.
So anything that was exposed to the internet and was vulnerable to Log4J, to Log4Shell, was either patched or compromised by now.
So Fritz.org actually poses an additional risk to another type of asset,
and that is internal assets.
And like I said before,
the traditional log4shell exploitation
relied on access from the internet.
But if you had a legacy Java application
somewhere inside your network
that didn't receive communication from the internet,
it was safe because no one could reach it,
so no one could exploit it.
What FreeTruck does is that whenever it breaches any machine,
it will scan the entire internal network of this machine.
And now let's say we have just a random SSH server
that is not really important, but it was compromised by FreeTruck.
And now this machine is scanning your entire network
and it will find the leftover, if you will,
applications that were not patched.
We'll be right back.
And now a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps,
not the entire network,
continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more at
zscaler.com slash security.
So machines that people perhaps had assumed were safe because they weren't facing the internet,
Fritz Frog has found a way to exploit them.
Yeah, so in many cases, internal machines were patched as well,
but because the external machines received most of the attention, we
believe that the malware developers chose to target, believed that they could target
internal machines that might have been neglected.
Well, can you walk us through the process here of how FritzFrog attacks a system and
finds its way in and then makes its way through?
An interesting fact about FridgeFrog is that it operates entirely in a peer-to-peer manner.
So there's no C2 server, but rather all of the different bots communicate with each other in a peer-to-peer network.
And this is relevant for the exploitation as well.
So the payload is also delivered through this network to newly compromised machines.
So FritzFrog has two ways of propagations currently,
and that is SSH brute force and log4shell exploitation.
currently, and that is SSH brute force and log4shell exploitation.
So FritzFrog will identify targets.
It will do that by parsing the
certain system configuration files.
For example, it will identify your known SSH host from the compromised machine
and will then attempt to connect over SSH to these servers. So if the compromised machine previously connected to an SSH server,
FritzFrog will attempt to do the same thing. And besides these more targeted targets,
FritzFrog will also just randomize IP addresses into the internet and scan them. And that's for the SSH port force.
As for the Log4j exploitation, so again, FritzFrog will generate targets randomly and from the internal network.
So it will start by enumerating the internal network.
It will scan ports that often host applications that are known to be vulnerable to Log4Shell.
And it will then just blast them with a massive payload
that attempts to exploit Log4Shell.
I would say a brute force approach
that contains a lot of different possibilities,
hoping that at least one of them triggers
the Log4shell vulnerability.
Once the vulnerability is triggered,
interestingly, the newly compromised machine
will connect back to the bot,
which hosts its own LDAP server,
and it will fetch the payload from the bot.
So like I said before,
the botnet is entirely peer-to-peer
and this is also true for the log4shell exploitation.
The machine will connect back to the bot over LDAP.
And so this is also a pretty unique thing
for FritzFrog regarding the log4shell exploitation.
It strikes me that you're being configured as a peer-to-peer thing,
and as you said, downloading large files,
that strikes me as being potentially noisy here.
So how does it avoid detection?
Yeah, so FritzFrog does a few noisy things,
but at the same time, it attempts to avoid detection.
The main thing would be that it tries its best
to not touch disk and operate only inside the memory,
the volatile memory.
It utilizes two mechanisms of the Linux operating systems
to do that.
Yeah, it will, when possible,
if given the right permissions,
it will not write any files to disk
and will only work inside the RAM.
So what are your recommendations
for folks to best protect themselves against this?
So first, I would say,
the most important thing to protect from FritzFrog,
but other botnets and automated scanners as well,
would be to identify your internet-exposed applications.
Because a lot of times there are these SSH servers
that no one knows about,
and this is how FritzFrog gets in. So first you need to identify the servers
and then harden them. Specifically for FritzFrog,
SSH passwords should be not used if possible.
SSH keys would be better. And if you use a password, it should be strong.
SSH keys would be better.
And if you use a password, it should be strong.
Obviously, you should patch for log4shell if you're still vulnerable somehow.
That is for the initial entry for FritzFrog.
I would also say that network segmentation
can really help prevent lateral movement
of such a worm-like botnet.
If you have a flat network,
FridgeFrog will simply scan everything
and exploit it if possible.
So really, I think that a good firewall policy
and good segmentation can help contain such a breach
in a really significant way.
You know, Ori, I think you and I have both demonstrated tremendous discipline here
in resisting the urge to use frog puns throughout our conversation here.
And I just want to say that when it comes to patching your log for shell,
you should really opt to it.
Yeah, definitely.
Our thanks to Ori David from Akamai for joining us.
The research is titled Frog for Shell.
Fritz Frog Botnet adds one days to its arsenal.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
The CyberWire Research Saturday podcast is a production of N2K Networks.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karpf.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.