Security researchers recently discovered a sophisticated P2P (peer-to-peer) botnet that has carried out attacks against at least 500 government and enterpise SSH servers throughout 2020. Dubbed FritzFrog, the botnet was detected by Guardicore Labs in January.
Apparently, the botnet has attempted to accomplish brute-force attacks against SSH servers that belong to various organizations worldwide, including governmental, educational, financial, medical and telecom.
FritzFrog P2P botnet in detail
How did the researchers discover FritzFrog?
The FritzFrog botnet was discovered by Guardicore’s researcher researcher Ophir Harpaz while he was working on the so-called Botnet Encyclopedia, a free-to-use threat tracker.
The botnet has breached at least 500 servers, some of them belonging to prominent US and European universities. While the researchers were unable to attribute the FritzFrog botnet to a specific threat group, they discovered some resemblance to a previously-known P2P botnet named Rakos.
The Rakos malware was designed to search for victims via SSH scans, with attacks registered in 2016. Rakos botnet code wass written in the Go language. Back then, security researchers determined that the malware could’t set up a persistent installation, but would rather attack the targeted hosts repeatedly.
FritzFrog is also written in the Golang language. The botnet is described as “completely volatile“, leaving no traces on the disk. It also creates a backdoor in the form of an SSH public key, thus granting the attackers with ongoing access to targeted machines. Since the beginning of the campaign, the researchers were able to identify 20 different versions of the malware executable.
How did the researchers analyze FritzFrog attacks?
To intercept the FritzFrog network, the team developed a client program in Golang, which carries out the key-exchange process with the malware. The client program is also capable of sending commands and receiving their outputs. The researchers named their program frogger, and helped them in the investigation of the nature and scope of the botnet network. Using frogger, they “were also able to join the network by “injecting” our own nodes and participating in the ongoing P2P traffic.”
The sophisticated botnet has successfully brute-forced millions of IP addresses, including such of governments, educational institutions, medical centers, banks and telecom companies.
In addition, FritzFrog “has successfully breached over 500 SSH servers, including those of known high-education institutions in the U.S. and Europe, and a railway company,” the report said.
How can enterprises and organizations stay protected against FritzFrog?
What enables this botnet is the use of weak passwords. The researchers recommend using strong passwords and using public key authentication. It is also crucial to remove FritzFrog’s public key from the authorized_keys file, which would precent the attackers from accessing the targeted machine. Furthermore, it turns out that routers and IoT devices often expose SSH which makes them vulnerable to FritzFrog attacks.
A good advice is to change their SSH port or completely disable SSH access, especially if the service is not in use. Another tip is to utilize process-based segmentation rules, as the botnet exploits the fact that most network security solutions enforce traffic only by port and protocol.