A variant of the longstanding FritzFrog botnet has shifted its strategy by exploiting the Log4Shell vulnerability, extending its reach beyond internet-facing applications to target all hosts within a victim’s internal network, as disclosed by researchers at Akamai in a report published on Thursday.
Originating in 2020, the FritzFrog botnet traditionally employed brute-force attacks to compromise SSH, a network connection protocol, gaining entry to servers and deploying cryptominers. However, recent iterations have evolved, involving the perusal of several system files on compromised hosts to identify potential targets with a high vulnerability likelihood, according to the researchers.
In a campaign dubbed “Frog4Shell,” FritzFrog now aims to exploit “as many vulnerable Java applications as possible,” leveraging the Log4Shell bug discovered in the widely used open-source Log4j web tool in 2021. The Log4Shell bug prompted a global patching effort led by numerous governments and security entities, achieving significant success in safeguarding most organizations. Nevertheless, researchers continue to uncover vulnerable tools or systems more than two years after the bug’s identification.
In 2020, FritzFrog attacks compromised over 500 servers, including those of banks, universities, medical centers, and telecom companies. After a period of dormancy, the botnet resurfaced in 2022, targeting victims once again with cryptominers.
Akamai reported that over the years, they have documented more than 20,000 FritzFrog attacks resulting in over 1,500 victims. The researchers highlighted the botnet’s unique threat, not only to vulnerable internet-facing assets but also to internal hosts. FritzFrog capitalizes on the negligence surrounding internal machine patching, exploiting the Log4Shell vulnerability even if high-profile internet-facing applications have been secured.
FritzFrog’s malware methodology now extends to targeting all internal network hosts. This means that despite patching high-profile internet-facing applications, a breach by FritzFrog can still expose unpatched internal assets to exploitation.
The researchers also noted additional enhancements in the FritzFrog malware, including new privilege escalation capabilities, cyber defense evasion tools, and more. They anticipate a continued trend of evolution in upcoming FritzFrog versions, with the likelihood of additional exploits being incorporated into the malware.
In 2022, Akamai identified approximately 37% of infected nodes in China, indicating a global distribution of victims. Clues suggest that the FritzFrog operator may be located in China or attempting to create a false impression of being associated with the region, as suggested by researchers in 2022.