FritzFrog: a new generation botnet which uses a proprietary P2P protocol

Welcome to the next episode of the Xopero Security Center! Researchers at Guardicore Lab have discovered a new and very interesting botnet – named FritzFrog – that uses unusually advanced measures to infect servers and corral them into a peer-to-peer network. Keep reading.

FritzFrog botnet breached already over 500 government and enterprise SSH servers

FritzFrog is a peer-to-peer (P2P) botnet actively targeting SSH servers worldwide since at least January 2020. It has been observed attempting to brute-force and spread to tens of millions of IP addresses including those belonging to government offices, banks, telecom companies, medical centers, and educational institutions.

After brute-forcing an SSH server, the malware deployed on infected systems is fileless and both assembles and executes only in memory. Likely in an effort to avoid detection and leave little trace of its presence. Once executed, FritzFrog unpacks malware under the names ifconfig and nginx and sets up shop to listen for commands sent across port 1234. However, these commands are usually easy to spot, and so attackers connect to the victim over SSH and run a netcat client instead.

The first command joins the victim machine to the existing database of network peers and slave nodes. Other commands, all of which are AES encrypted, includes adding a public SSH-RSA key to the authorized_keys file to establish a backdoor, running shell commands to monitor a victim PC’s resources and CPU usage, and network monitoring. The malware portion of FritzFrog is also able to propagate over the SSH protocol.

FritzFrog’s primary goal is to mine for cryptocurrency. If processes on the server are hogging CPU resources, the malware may kill them to give the miner as much power as possible.

The P2P protocol used by FritzFrog for communication is not based on any existing implementation such as μTP. This may suggest that the attackers are highly professional „software developers”. For now, there are an unknown force, but some similarities have been found between FritzFrog and Rakos, a botnet discovered in 2016.


Bug in wireless devices impacting critical sectors

A vulnerability affecting components used in millions of critical connected devices in the automotive, energy, telecom, and the medical sector could let hackers hijack the device or access the internal network.

Researchers found it in the Cinterion EHS8 M2M module from Thales (formerly from Gemalto, acquired by Thales in 2019) but the vendor also confirmed it in BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, PLS62. Over 30,000 companies use products from Thales, which connects more than 3 billion things worldwide every year.

Cinterion EHS8 and components in the same product line are embedded modules that provide processing power and machine-to-machine (M2M) secure communication over wireless mobile connections (2G, 3G, 4G). They store and run Java code and companies use them to host operational files and sensitive data like login credentials for various network services.

Researchers discovered a method to bypass security checks protecting the files and operational code in the EHS8 module. EHS8 and the other products in its line have a microprocessor with an embedded Java ME interpreter, flash storage, and interfaces for GSM, GPIO, ADC, Digital and Analogue Audio, GPS, I2C, SPI, and USB. If an attacker would be able to control the AT interface – AT commands are instructions that control a modem – he also has direct control over the module and can issue configuration commands, or to access the filesystem of the flash memory, letting them read, write, delete, and rename available files and directories.

Every flash memory has a secure area for Java code that allows only writing operations, prohibiting reading. OEMs can use this sector to store private Java code and sensitive files (certificates, private keys, app databases). The vulnerability bypasses the restrictions for this secure area, allowing reading the Java code running on the system from both the OEM and Thales, thus exposing all embedded data.

Thales received a report about the vulnerability in September 2019 and in February 2020 released patches for its clients. Depending on device and vendor, the fix is possible through an over-the-air (OTA) update or by installing it from a USB drive using the device’s management interface.


Drovorub – a new Linux stain malware developed and deployed by Russian military hackers…

…according to the NSA and FBI. Only a few day ago – on the August 15th – both agencies published a joint security alert containing details about a previously undisclosed Russian malware.

Autopsy of a threat

Drovorub is like a Swiss-army knife for hacking Linux. The Linux malware toolset consists of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and logic for connecting back to a Command and Control (C2) server. Malware is made up of four executable components: Drovorub-client, Drovorub-agent, Drovorub-kernel module and Drovorub-server. All components communicate via JSON over WebSockets.

Drovorub poses a challenge to large-scale detection on the host because it hides its artifacts from tools commonly used for live-response at scale. Network Intrusion Detection Systems (NIDS) can feasibly identify command and control messages between the Drovorub-client, Drovorub-agent and Drovorub-server. Using different security products may also provide visibility into various artifacts of Drovorub malware, including detection of the rootkit functionality. But in this case, preventative mitigations are your best shot. Sysadmin’s should continually check for and run the latest version of vendor-supplied software. Keeping updated software enables the user to take advantage of software advancements and the latest security detection and mitigation safeguards. Most importantly sysadmin’s should update to Linux Kernel 3.7 or later in order to take full advantage of kernel signing enforcement.


Crypto-mining worm steals AWS credentials

Researchers spotted in the wild the first crypto-mining malware that contains functionality to steal AWS credentials from infected servers.

The malware – associated with the TeamTNT cybercrime group – targets Docker installs. Attackers are scanning the internet for Docker systems that have been misconfigured and have left their management API exposed on the internet without a password. They usually access by the API and deploy servers inside the Docker install that would run DDoS and crypto-mining malware.

Their tactics are not as unique as multiple other cybercrime groups using the same playbook. But the TeamTNT group has recently updated its mode of operation. Besides the original functionality, TeamTNT has now also expanded its attacks to target Kubernetes installations. They also added a new feature that scans the underlying infected servers for any Amazon Web Services (AWS) credentials. If the infected Docker and Kubernetes systems run on top of AWS infrastructure, the TeamTNT group scans for ~/.aws/credentials and ~/.aws/config, and copies and uploads both files onto its command-and-control server.

Both of these files are unencrypted and contain plaintext credentials and configuration details for the underlying AWS account and infrastructure. Researchers believe the attacker has not yet moved to use any of the stolen credentials. But it’s just a matter of time when they decide to do so.


Do you have thirst for knowledge? There is ten more cybersecurity stories below

1. ‘EmoCrash’ Exploit Stoppered Emotet For 6 Months (ThreatPost)
2. Microsoft fixes actively exploited Windows bug reported 2 years ago (Bleeping Computer)
3. The Attack That Broke Twitter Is Hitting Dozens of Companies (WIRED)
4. Critical Jenkins Server Vulnerability Could Leak Sensitive Information (The Hacker News)
5. Tor Project shares proposals to limit DDoS impact on Onion sites (Bleeping Computer)
6. Default Credentials Expose Cisco ENCS, CSP Appliances to Attacks (Security Week)
7. US Government Agencies Issue Alert Over Taidoor Malware Attack in Chinese Cyber Espionage Campaigns (CPO Magazine)
8. S Reveals New North Korean BLINDINGCAN RAT (Infosecurity Magazine)
9. Google Chrome will warn users when submitting insecure forms (Bleeping Computer)
10. Experts Reported Security Bug in IBM’s Db2 Data Management Software (Hacker News)