Over 500 SSH Servers being Breached by FritzFrog P2P Botnet

Cyberspace has seen an unprecedented rise in modified versions of peer-to peer, also known as (P2P) threats, it might have appeared that these P2P services have been vanishing, but in reality, they have emerged even stronger in newer ways. BitTorrent and eMule are still known to be in use by attackers.

A peer-to-peer (P2P) network is an IT infrastructure in which two or more computers have agreed to share resources such as storage, bandwidth and processing power with one another. Besides file sharing, it also allows access to devices like printers without going through separate server software. A P2P network is not to be confused with client-server network that users have traditionally used in networking, here, the client does not contribute resources to the network.

Researchers at Guardicore have recently discovered a sophisticated peer-to-peer (P2P) botnet called as FritzFrog that has been actively operated since January 2020, breaching SSH servers; it’s a Golang-based modular malware that executes a worm malware written in Golang, it is multi-threaded, completely volatile, and fileless and leaves no trace on the infected system’s disk.

It has a decentralized infrastructure which distributes control among all its nodes. The network uses AES for symmetric encryption and the Diffie-Hellman protocol for key exchange in order to carry out P2P communication via an encrypted channel.

So far, more than 20 malware samples have been discovered by the researchers as FritzFrog attempted to brute force over 500 SSH servers belonging to educational institutions, governmental institutions, telecom organizations, banks, and medical centers worldwide. The campaign also targeted some well known high-education institutions in the United States and Europe, along with a railway firm.

Botnets are being leveraged by attackers for DDoS attacks and other malicious activities, as per the recent attack trend. Earlier in June this year, the Monzi malware was seen exploiting IoT devices, mainly DVRs and routers. Threat actors brought together various malware families namely Mirai, Gafgyt and IoT Reaper, to carry out a botnet capable of DDoS attacks, command or payload execution or data exfiltration.

“FritzFrog’s binary is an advanced piece of malware written in Golang. It operates completely in-memory; each node running the malware stores in its memory the whole database of targets and peers,” according to Guardicore’s report.

“FritzFrog takes advantage of the fact that many network security solutions enforce traffic only by the port and protocol. To overcome this stealth technique, process-based segmentation rules can easily prevent such threats.”

“Weak passwords are the immediate enabler of FritzFrog’s attacks. We recommend choosing strong passwords and using public key authentication, which is much safer. In addition, it is crucial to remove FritzFrog’s public key from the authorized_keys file, preventing the attackers from accessing the machine. Routers and IoT devices often expose SSH and are thus vulnerable to FritzFrog; consider changing their SSH port or completely disabling SSH access to them if the service is not in use.” The report further read.