It’s the plague of frogs- but not as you know it. First spotted in August 2020, “FritzFrog” botnets have recently reappeared, targeting devices across industries that expose an SSH server. The botnet has mainly spread amongst Chinese targets in the healthcare, government and education sectors. It’s quick growth (10x within the last month), peaking at 24,000 known incidents, together with it’s new features has shown a level of sophistication gaining it the title of “Next-generation Botnet”. 

Discovered by Akamai (Guardicore), this botnet is pushing the borders with:

  • P2P Architecture: This means it can lie-low and evade detection; it can execute commands from each computer it affects, with no centralized server.
  • Constantly under development and updates itself
  • Uses an extensive dictionary library to brute force for SSH credentials
  • Capabilities to use the Tor network as a proxy which essentially hides visibility of the botnet network.

Most notably, the FrogFritz botnet seems to be preparing to target WordPress servers, with functions responsible for adding and removing entries from lists titled WordPress and WordPressTargetsTTL.

It’s pretty fascinating to read Akamai’s research which points in the direction of Chinese-linked actors who are doing their utmost to remain undetected. For example, on their “blocklist” are not only small machines like Raspberry Pi’s (barely worth the effort of a botnet), but also what seems to be a Russian honeypot and a known botnet sinkhole. 

Akamai provides a FritzFrog detection script (available on their website) and recommends keeping systems updated and patched, implementing passwordless login using strong key management and rotation system, enabling system login auditing with alerting, monitoring the authorized_hosts file on Linux, configuring explicit allow list of SSH login and disabling root SSH access. They also provide a DNS tool.

This is where you’ll want to have an automated compliance platform monitoring your systems, making sure all your security controls are in place, and alerting you to signs of compromise to cover all of these recommendations and more. Use Centraleyes, the next-gen risk management platform to beat the next-gen botnet.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days