FritzFrog botnet is exploiting Log4Shell bug now, experts say

A variant of a long-running botnet is now abusing the Log4Shell vulnerability but is going beyond internet-facing applications and is targeting all hosts in a victim’s internal network.

Researchers at Akamai explain the shift in the FritzFrog botnet — which has existed since 2020 — in a report released Thursday.

The botnet typically uses brute-force attacks to compromise SSH, a protocol for network connections, to gain access to servers and deploy cryptominers. But newer variants now “read several system files on compromised hosts to detect potential targets for this attack that have a high likelihood of being vulnerable,” the researchers said.

FritzFrog now targets as “many vulnerable Java applications as possible” in a campaign Akamai is calling “Frog4Shell,” because it leverages Log4Shell, a bug in the widely used open source Log4j web tool that was discovered in 2021 and kicked off a global patching effort led by dozens of governments and security companies.

The effort was largely successful in protecting most organizations. But researchers continue to find vulnerable tools or systems more than two years after the bug’s discovery.

FritzFrog attacks in 2020 compromised more than 500 servers, including ones belonging to banks, universities, medical centers, and telecom companies. The botnet went dormant for several years before returning in 2022 to again infect victims with cryptominers.

This week, Akamai said over the years, they have seen more than 20,000 FritzFrog attacks and over 1,500 victims.

“Vulnerable internet-facing assets are a serious problem, but FritzFrog actually poses a risk to an additional type of assets — internal hosts. When the vulnerability was first discovered, internet-facing applications were prioritized for patching because of their significant risk of compromise,” the researchers said.

“Contrastly, internal machines, which were less likely to be exploited, were often neglected and remained unpatched — a circumstance that FritzFrog takes advantage of.”

The FritzFrog malware attempts to target all hosts in the internal network — meaning that even if the “high-profile” internet-facing applications have been patched, a breach of any asset in the network by FritzFrog can expose unpatched internal assets to exploitation, Akamai explained.

The researchers noted that other changes in the FritzFrog malware include new privilege escalation capabilities, cyberdefense evasion tools and more.

“We believe that this trend will continue in upcoming FritzFrog versions, and it's likely only a matter of time before additional exploits are added to the malware.”

In 2022, Akamai said about 37% of infected nodes were located in China but noted that victims were also spread out all over the world.

Based on other clues, they believe the FritzFrog operator may be located in China or is trying to masquerade as someone living in China, the researchers said in 2022.