Guardicore, a company that aims to protect any digital environment by offering simplified cloud and data center security solutions, reveals that it has found a peer to peer (P2P) botnet, called FritzFrog, that has been regularly breaching SSH services since January of this year.
SSH servers are software programs that use the secure shell protocol to accept network connections from remote computing devices. Online file transfers (using various protocols) and remote terminal connections are common use cases for an SSH server.
As noted by the Guardicore team, the malware associated with FritzFrong runs a separate process (libexec) to mine Monero (XMR), a privacy-oriented cryptocurrency. According to the company’s detailed research report, the miner is based on the widely-used XMRig digital currency miner.
As explained in the report:
“Fritzfrog relies on the ability to share files over the network, both to infect new machines and run malicious payloads, such as the Monero cryptominer…Tracking the operators of a P2P botnet is a complicated task; due to its distributed nature, commands can be sent to and from any node in the network.”
The online security firm notes that weak passwords are the “immediate enabler” of FritzFrog’s cyberattacks. They’ve recommended choosing strong passwords and also using public key authentication, which they claim makes users’ online experience a lot safer.
They revealed that routers and Internet of Things (IoT) devices “often expose SSH and are thus vulnerable to FritzFrog.”
The report confirms that FritzFrog attempted to “brute force” and propagate to millions of IP addresses belonging to governmental offices, academic institutions, medical centers, banks and telecom service providers.
The malware has breached over 500 servers, and has infected “well-known” universities based in the US and Europe, and also a railway company. Notably, FritzFrog is “completely proprietary.”
The report further notes that FritzFrog’s P2P implementation was “written from scratch, teaching us that the attackers are highly professional software developers.” The company claims it has created a client program using the Golang programming language that’s capable of “intercepting FritzFrog’s P2P communication, as well as joining as a network peer.”
Cyberattacks in the UK and the US have increased as more consumers and businesses conduct financial transactions online.
Over 300,000 potentially fraudulent sites with fake celebrity endorsements were identified recently by the UK’s National Cyber Security Centre, with half being related in some way to cryptocurrency.