There are many threats on the network that can put all kinds of devices at risk, and this also includes the router itself. In this article we talk about FrtizFrog Botnet, a botnet that is capable of attacking SSH servers, data center servers, and routers as well. It is a problem that has affected many countries in the world, including Spain. We will also give some tips to be protected.
FritzFrog Botnet, one more problem for routers
Security researchers have detected that this threat has been present for two years. However, analysts Akamai They have detected that a new version has appeared with a unique function that is able to use the Tor proxy chain. It has primarily targeted exposed SSH servers in education, government, and healthcare systems.
This malware has been written in Golang and is considered as an advanced and sophisticated threat. A state-of-the-art botnet capable of compromising servers and routers. It is capable of combining different properties to achieve its goal.
Within these properties, the constant updating of all the databases of the targets and equipment that they have managed to attack stands out. It is also characterized by its aggressiveness when carrying out brute force attacks, with an extensive dictionary. Furthermore, it is very efficient, since all the targets are evenly distributed among the nodes.
It is, therefore, a very sophisticated malware. It has four processes:
- ifconfig
- nginx
- apache2
- php-fpm
Another peculiarity that FritzFrog Botnet has is that is updated daily and even several times a day. In this way, it stands out as a sophisticated and advanced threat, capable of putting many users and organizations at risk.
How to avoid this threat
Akamai security researchers have mapped out a roadmap to avoid the FritzFrog Botnet and ensure that servers are adequately protected. They have given the following clues to know if this threat is executed in the system:
- Run processes named nginx, ifconfig, php-fpm, apache2, or libexec, whose executable file no longer exists on the file system
- Listen on port 1234
- TCP traffic over port 5555 involves network traffic to the Monero pool.
But beyond explaining some important points to know if our server has been affected by this threat, they have given some general recommendations that we can put into practice. The goal is to prevent the FritzFrog Botnet and maximize security:
- Allow login audit with a warning
- Monitor the authorized_hosts file on Linux
- Configure a list of explicit SSH login permissions
- Always allow root SSH access
- Allow cloud-based DNS protection
In short, these are the main tips given by Akamai to be protected against this security threat which has been recently updated. But beyond that, we always recommend properly protecting the router from DDoS attacks and any device connected to the network. This mainly means encrypting them with a good password and updating the firmware whenever possible to fix vulnerabilities.
