Getty Images/iStockphoto

Brute-Force P2P Botnet Targeting SSH Servers of Medical Centers, Banks

A sophisticated peer-to-peer (P2P) botnet has been actively breaching SSH servers with brute-force cyberattacks from a range of organizations, including medical centers, banks, and others.

Guardicore researchers are warning organizations of a sophisticated peer-to-peer botnet, which has been actively breaching SSH servers since January 2020. Known as FritzFrog, the botnet has attempted targeted, brute-force attacks on medical centers, banks, educational institutions, and others. 

The P2P botnet has attempted to propagate tens of millions of IP addresses from those entities, as well as telecom companies and governmental offices. Of these attacks, researchers explained the botnet has successfully breached more than 500 servers, including those of well-known universities in the US and Europe and a railway company. 

First discovered in January, researchers determined the botnet has no apparent command and control (CNC) server. The botnet executes a worm malware written in Golang, which is uniquely fileless, multi-threaded, and modular, leaving no trace of its presence on the infected machine “as it assembles and executes payloads in memory.” 

Guardicore researchers have so far identified 20 different versions of the malware executed by the botnet. And the FritzFrog attacks are both efficient and aggressive. 

The malware first targets machines, places it in a queue that will be fed to the Cracker module that will scan and attempt to brute-force attack it. A successful machine breach will be then queued for a malware infection by the FritzFrog DeployMgmt module. If successful, the machine is then added to the P2P network. 

Completely proprietary and relying on no known P2P protocols, the botnet was written from scratch: meaning the hackers are highly professional software developers. Researchers explained it has a “special combination of properties,” including that it constantly updates, seamlessly exchanging between databases of targets and breached machines. 

“With its decentralized infrastructure, it distributes control among all its nodes,” researchers explained. “In this network with no single point-of-failure, peers constantly communicate with each other to keep the network alive, resilient and up-to-date. P2P communication is done over an encrypted channel, using AES for symmetric encryption and the Diffie-Hellman protocol for key exchange.” 

“It is more aggressive in its brute-force attempts yet stays efficient by distributing targets evenly within the network,” they added. “It creates a backdoor in the form of an SSH public key, enabling the attackers ongoing access to victim machines.” 

Once the botnet has successfully breached a target, it unpacks UPX-malware that immediately erases itself from the machine. The malware runs under “ifconfig” and “nginx” to minimize detection, while listening on port 1234 to await commands during the startup process. 

The initial commands will sync the victim’s machine with the database of network peers and other brute-force targets. 

Typically, traffic on port 1234 is easily detected by security tools and firewalls. To combat this, the FritzFrog attackers send commands to the victim over SSH and run a netcat client on the victim’s machine, instead of the port 1234, to then connect to the malware’s server. 

As a result, any command sent through the SSH will transmit to the malware. 

“Nodes in the FritzFrog network keep in close contact with each other. They constantly ping each other to verify connectivity, exchange peers and targets and keep each other synced,” researchers wrote. “The nodes participate in a clever vote-casting process, which appears to affect the distribution of brute-force targets across the network.” 

“Each node that runs the malware has a worker thread which is responsible for receiving commands, parsing them and dispatching them to the appropriate function in the code,” they added.  

To avoid falling victim, organizations need to employ process-based segmentation rules as the botnet relies on network security solutions that enforce traffic only by the port and protocol. 

Further, these attacks are enabled by weak passwords. Administrators must implement strong password policies and use public key authentication. FritzFrog’s public key will also need to be removed from the authorized_keys file, which will prevent an attacker from accessing the machine. 

Lastly, the botnet also targets routers and IoT devices with exposed SSH keys, which means organizations should consider changing their SSH port or disabling access to SSH when the service is not in use. 

“Here’s the thing -- if you have an SSH server with weak credentials, you've been owned for a really long time,” David Wolpoff, CTO and co-founder of Randori, said in an emailed statement. “Every SSH server I’ve seen anywhere on the internet has seen ongoing credential brute-forcing.” 

“Being P2P might make the FritzFrog botnet harder to disrupt, depending on how it's doing command and control,” he added. “A lot of classic 'takedown’ techniques are dependent on a central resource, but that doesn't mean taking it down will be hard, just that it has the possibility to be difficult.” 

Next Steps

Dig Deeper on Cybersecurity strategies