FritzFrog P2P botnet: An emerging threat covertly targeting servers around the world… What does this mean for website owners?

Researchers working at Guardicore Labs have found what they believe to be a new and emerging cyber security threat which essentially corrals web servers (the physical home of a website) around the world into an eerily silent but very malicious peer-to-peer network (meaning these infected servers go on to rely on each other for direction and security instead of a ‘central control’), stealing databases, logfiles, or website files and resources which are housed on the server it infects.

If you’re a business owner with a website or any managed digital service, this could potentially affect you. The web-server which houses your website and serves it to visitors, could potentially be vulnerable to this.

If you use any sort of web platform like a content-management system, or a service which allows users to sign-up, and store potentially sensitive data, this threat should be particularly concerning for you.

The botnet has been observed gaining entry to web-servers who employ relaxed security policies, perhaps a medium-strength password, or the use of cryptographic keys without the added layer of password security on top.

What’s maybe even more alarming, is that the malicious software uses a particularly powerful communications protocol, Secure Shell (SSH) to execute its chosen actions. SSH allows for encrypted traffic and actions over an unencrypted network connection (like one that your website uses, or one that any would-be hacker can spin up on their pc), and once granted Secure Shell access, the botnet has a worrying amount of power to cause havoc on your web server.

The SSH protocol is most often used by network managers and IT professionals to remotely execute commands on web-servers. It’s usually secured by a password, or the use of a cryptographic key which humans have to generate, install and authorise themselves. The malicious software is able to generate a key, install it, authorise it, and grant itself access to the inner-workings of your web-service, all completely covertly.

What steps can you take to reduce the risk of your web-server becoming infected?

Immediate actions your web professional should be taking:

  • Enforcing longer and more complex passwords to access your web-server
  • Inspecting all installed cryptographic SSH keys to ensure none have been installed by the FritzFrog botnet.
  • If suitable for your organisation, restricting access to web-servers using the above mentioned protocols based on fixed IP addresses or making other practice based network policy changes that may not be the ‘norms’ which FritzFrog often relies on to grant itself access. 

You can read more about this from Guardicore Cyber Security Specialists.

Need help securing your web servers? Speak to The Jamieson Consultancy

Luke Morgan By Luke Morgan | 25 August, 2020