The menace actor behind a peer-to-peer (P2P) botnet known as FritzFrog has manufactured a return with a new variant that leverages the Log4Shell vulnerability to propagate internally inside of an by now compromised network.
“The vulnerability is exploited in a brute-pressure manner that makes an attempt to concentrate on as lots of vulnerable Java programs as possible,” web infrastructure and security enterprise Akamai said in a report shared with The Hacker News.
FritzFrog, initially documented by Guardicore (now component of Akamai) in August 2020, is a Golang-based mostly malware that mainly targets internet-experiencing servers with weak SSH qualifications. It truly is recognized to be active because January 2020.
It has because progressed to strike healthcare, schooling, and federal government sectors as very well as enhanced its capabilities to ultimately deploy cryptocurrency miners on contaminated hosts.
What is actually novel about the latest edition is the use of the Log4Shell vulnerability as a secondary an infection vector to exclusively single out inner hosts relatively than focusing on vulnerable publicly-obtainable property.
“When the vulnerability was first learned, internet-facing applications had been prioritized for patching since of their considerable risk of compromise,” security researcher Ori David said.
“Contrastly, internal machines, which had been significantly less very likely to be exploited, were being normally neglected and remained unpatched — a circumstance that FritzFrog requires advantage of.”
This indicates that even if the internet-dealing with purposes have been patched, a breach of any other endpoint can expose unpatched internal systems to exploitation and propagate the malware.
The SSH brute-force element of FritzFrog has also gained a facelift of its individual to recognize particular SSH targets by enumerating several technique logs on each of its victims.
One more noteworthy modify in the malware is use of the PwnKit flaw tracked as CVE-2021-4034 to obtain regional privilege escalation.
“FritzFrog carries on to make use of tactics to stay hidden and avoid detection,” David reported. “In unique, it will take distinctive care to steer clear of dropping files to disk when achievable.”
This is completed by implies of the shared memory location /dev/shm, which has also been put to use by other Linux-centered malware these as BPFDoor and Commando Cat, and memfd_produce to execute memory-resident payloads.
The disclosure comes as Akamai exposed that the InfectedSlurs botnet is actively exploiting now-patched security flaws (from CVE-2024-22768 by CVE-2024-22772, and CVE-2024-23842) impacting several DVR device designs from Hitron Devices to start distributed denial-of-company (DDoS) attacks.
Found this article interesting? Abide by us on Twitter and LinkedIn to study much more distinctive content we post.
Some sections of this posting are sourced from: