FritzFrog Botnet Targets Unpatched Internal Hosts via Log4Shell Exploitation

February 1, 2024

A new variant of the advanced FritzFrog botnet has been exploiting the Log4Shell vulnerability to infiltrate internal network assets that organizations often neglect to patch. Unlike typical Log4Shell attacks, FritzFrog does not target Internet-facing systems and services. Instead, it hunts for the same vulnerability in internal network assets that are less likely to be patched.

Ori David, a security researcher at Akamai, explains that the developers behind FritzFrog are continuously adapting it, making it a sophisticated botnet. Traditionally, FritzFrog infects networks by brute-forcing Internet-facing servers with weak SSH passwords. The new variant enhances this approach by reading several system logs on compromised hosts to identify more potential weak targets within a network.

In addition to exploiting weak passwords, FritzFrog now also scans for Log4Shell vulnerabilities. David explains, 'It will compromise an asset in your environment by finding a weak SSH password, and then it will scan your entire internal network and find vulnerable apps that would not be exposed to normal Log4Shell attacks.' This strategy is effective because internal machines, which were less likely to be exploited, were often neglected and remained unpatched, a circumstance that FritzFrog capitalizes on.

FritzFrog's latest improvements include enhanced network scanning and Log4Shell exploitation. It also exploits CVE-2021-4034, a memory corruption vulnerability in Polkit, to facilitate privilege escalation. Despite being disclosed two years ago, this easy-to-exploit flaw is likely widespread as Polkit is installed by default in most Linux distributions.

FritzFrog's developers have also focused on stealth. In addition to TOR support and an 'antivirus' module that eliminates unrelated malware in a system, the new variant uses two aspects of Linux: the /dev/shm shared memory folder and the memfd_create function, which creates anonymous files stored in RAM. Both are used to reduce the risk of detection by avoiding touching the disk.

These tactics have contributed to the botnet's launch of over 20,000 attacks against more than 1,500 victims since its initial spotting in 2020. However, the botnet's weakness is surprisingly simple. David states, 'FritzFrog propagates in two ways: weak SSH passwords, and Log4Shell. So the best ways to mitigate against it would be to have good passwords, and to patch your systems.'

Latest News

• Apple Addresses Vision Pro Security Flaw, CISA Highlights iOS Vulnerability Exploitation
• Public Release of Exploit for Android Privilege Elevation Flaw Affecting Seven OEMs
• CISA Issues Warning over Actively Exploited iPhone Kernel Bug
• Critical Vulnerability in GNU C Library Could Grant Full Root Access
• Ivanti Alerts on Two New High-Severity Vulnerabilities, One Currently Under Active Exploitation