fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

FritzFrog Botnet Grows 10x, Hits Healthcare, Edu, and Govt Systems

FritzFrog Botnet Grows 10x, Hits Healthcare, Edu, and Govt Systems

The FritzFrog botnet that’s been active for more than two years has resurfaced with an alarming infection rate, growing ten times in just a month of hitting healthcare, education, and government systems with an exposed SSH server.

Discovered in August 2020, the malware is written in Golang and is considered to be a sophisticated threat that relies on custom code, runs in memory, and is decentralized — peer-to-peer (P2P), so it does not need a central management server.

Researchers at internet security company Akamai spotted a new version of the FritzFrog malware, which comes with interesting new functions, like using the Tor proxy chain.

Also Read: A Closer Look: The Personal Information Protection Law in China

The new botnet variant also shows indications that its operators are preparing to add capabilities to target WordPress servers.

Second campaign having more significant infections than the previous
Second campaign having more infections than the first (Akamai)

Next-gen trouble

Akamai calls FritzFrog a “next-generation” botnet because it combines features that make it stand out from other threats in the same category.

The malware is better equipped to evade detection and keep a low profile due to using a “completely proprietary” P2P protocol for communications.

It relies on an extensive dictionary for brute-force attacks to find SSH credentials, which allows it to compromise a larger number of devices.

FritzFrog is constantly updating the list of targets and breached machines are constantly updated and its node distribution system ensures an equal number of targets to each node to keep the botnet balanced.

Also Read: Battling Cyber Threats in 4 Simple Ways

Second wave with new abilities

Akamai global network of sensors detected 24,000 attacks but the botnet claimed only 1,500 victims so far. Most of the infected hosts are in China, but among the compromised systems are in a European TV network, a Russian healthcare firm, and various universities in East Asia.

FritzFrog second campaign victims
FritzFrog second campaign victims (Akamai)

The actors have implemented a filtering list to skip low-powered devices such as Raspberry Pi boards, while the malware now contains code that lays the groundwork for targeting WordPress sites.

Code preparing the implementation of WP detection
Preliminary code for the implementation of WP detection (Akamai)

Considering that the botnet is known for cryptocurrency mining, this function is a curious addition. However, Akamai assumes that the actors have found other monetization avenues, such as deploying ransomware, or data leaks. Currently, this capability is inactive as it is being worked on.

The researchers note that FritzFrog is constantly under development, bugs being fixed on a daily basis, sometimes multiple times a day.

Another novelty in the latest FritzFrog sample is proxying outgoing SSH connections through Tor, obscuring the network structure and limiting the visibility from infected nodes to the botnet network. Although this feature looks complete, the developers have yet to activate it.

Finally, the copying system (used to infect new systems) is now based on SCP (security copy protocol), replacing the cat command present in the previous version.

Clues point to operators in China

At this time, the threat analysts at Akamai don’t have a definitive attribution for the operation of FritzFrog, but the evidence points to China.

Because the malware incorporates unique code components, some can be traced to unique GitHub repositories set up by Shanghai-based users.

Moreover, the wallet addresses linked to the second campaign’s mining operations were also used in the Mozi botnet, which was eventually confirmed to originate from China.

Finally, roughly 37% of all of FritzFrog’s active nodes are located in China, which may mean that the actor operates from there.

Defense strategy

FritzFrog targets any device that exposes an SSH server, so admins of data center servers, cloud instances, and routers need to stay vigilant.

Akamai shares the following indicators of FritzFrog running on a system:

  • Running processes named nginx, ifconfig, php-fpm, apache2, or libexec, whose executable file no longer exists on the file system
  • Listening on port 1234
  • TCP traffic over port 5555 can indicate network traffic to the Monero pool

Akamai’s security recommendations are:

  • Enable system login auditing with alerting
  • Monitor the authorized_hosts file on Linux
  • Configure explicit allow list of SSH login
  • Disable root SSH access
  • Enable cloud-based DNS protection with threats and unrelated business applications such as coin mining set to block

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us