[ad_1]
The risk actor behind a peer-to-peer (P2P) botnet generally known as FritzFrog has made a return with a brand new variant that leverages the Log4Shell vulnerability to propagate internally inside an already compromised community.
“The vulnerability is exploited in a brute-force method that makes an attempt to focus on as many susceptible Java purposes as doable,” internet infrastructure and safety firm Akamai stated in a report shared with The Hacker Information.
FritzFrog, first documented by Guardicore (now a part of Akamai) in August 2020, is a Golang-based malware that primarily targets internet-facing servers with weak SSH credentials. It is recognized to be lively since January 2020.
It has since developed to strike healthcare, training, and authorities sectors in addition to improved its capabilities to finally deploy cryptocurrency miners on contaminated hosts.
What’s novel in regards to the newest model is the usage of the Log4Shell vulnerability as a secondary an infection vector to particularly single out inside hosts quite than focusing on susceptible publicly-accessible belongings.
“When the vulnerability was first found, internet-facing purposes have been prioritized for patching due to their vital danger of compromise,” safety researcher Ori David stated.
“Contrastly, inside machines, which have been much less prone to be exploited, have been usually uncared for and remained unpatched — a circumstance that FritzFrog takes benefit of.”
Which means even when the internet-facing purposes have been patched, a breach of another endpoint can expose unpatched inside methods to exploitation and propagate the malware.
The SSH brute-force part of FritzFrog has additionally acquired a facelift of its personal to establish particular SSH targets by enumerating a number of system logs on every of its victims.
One other notable change within the malware is use of the PwnKit flaw tracked as CVE-2021-4034 to attain native privilege escalation.
“FritzFrog continues to make use of ways to stay hidden and keep away from detection,” David stated. “Specifically, it takes particular care to keep away from dropping recordsdata to disk when doable.”
That is achieved by way of the shared reminiscence location /dev/shm, which has additionally been put to make use of by different Linux-based malware reminiscent of BPFDoor and Commando Cat, and memfd_create to execute memory-resident payloads.
The disclosure comes as Akamai revealed that the InfectedSlurs botnet is actively exploiting now-patched safety flaws (from CVE-2024-22768 by CVE-2024-22772, and CVE-2024-23842) impacting a number of DVR system fashions from Hitron Methods to launch distributed denial-of-service (DDoS) assaults.
[ad_2]
