Fritzfrog and the Lockheed Cyber Kill Chain

23rd September 2020


Fritzfrog is a botnet infecting and controlling Linux based devices worldwide.  These devices have diverse applications within the organizations they serve as corporate servers, routers, and IoT devices (source). This particular malware has a variety of features including sophisticated cracking abilities using a substantial dictionary, running a cryptocurrency miner, running on a proprietary P2P protocol, and it creates a backdoor for subsequent command and control. 

The first phase of the Lockheed Cyber Kill Chain is Reconnaissance where the attacker gets information on the organization or device they seek to attack. The FritzFrog developers target government, healthcare, education, and transportation entities, then target devices within those organizations (source) that scan the device and attempt to brute-force the password which comprises the Weaponization phase. If the device is successfully breached, it is then prepared for malware installation, bringing us to the Delivery phase of the kill chain.

Each phase in the Cyber Kill Chain provides organizations an opportunity to detect and prevent the propagation of malware. Since the Lockheed model captures the strategic movement of an attacker through the environment with such simplicity, analyzing a piece of malware like FritzFrog through the lens of the framework gives network defenders an advantage in planning response capabilities and procedures.  While many products are available to alert and prevent bad known behaviors, not many are available to alert your incident response teams to new threats. That is where CyGlass comes in!

CyGlass uses cutting edge AI/ML algorithms to give businesses key insights into network activity, alerting customers to abnormalities that may indicate network compromise. The ability of the platform to identify abnormalities enables your organization to identify behaviors that may be part of a sophisticated new attack campaign like FritzFrog, rather than just relying on known malware signatures as your antivirus software does.  Unfortunately, your firewall would not be able to catch attacks like FritzFrog either. This is because FritzFrog tunnels commands over SSH by running a net cat client instead of using the usual port your firewall monitors for such behavior which is port 1234 (source).  Now let’s start from the beginning again to see how CyGlass can help you prevent and detect FritzFrog at each of the first three stages in the Cyber Kill Chain. 


Reconnaissance

A key indicator that someone is trying to gain access to your network in the reconnaissance phase is a vertical port scan.  Since CyGlass baselines your network it can identify port scans that are outside the scope of regular network activity and alert your team to the behavior for closer investigation.  The AI/ML algorithm is able to eliminate false positives so when your team receives a CyGlass Smart Alert you know it merits immediate attention.  

Once you log into the platform you will immediately see some of the information below displayed in laymen’s terms so you have a high-level idea of what is occurring and take immediate action.  This feature is especially helpful for smaller businesses where the person responding to threat information may not be a full-time cyber analyst. The vertical port scan below is not only abnormal but indicates something is performing a TCP scan with a 99.8% failure rate, which is abnormal for this network.  TCP scans are often a part of reconnaissance and enable an attacker to see which ports on your assets are available to connect for a payload delivery.  Port scans can also tell an attacker valuable information like which operating systems and services are running on your assets. Outdated services and systems typically have published exploits that can be used or customized to facilitate infiltration.


Weaponization

FritzFrog’s weaponization phase consists of brute-forcing a password on a device found in the reconnaissance phase. Since CyGlass uses NetFlow data to identify abnormal behavior, it flags behavior associated with password cracking. Such behaviors typically involved short bursts of activity over SSH, HTTP, and HTTPS (source).  Once your team is made aware of these behaviors, even if the attacker was successful in the reconnaissance phase, you can still stop them here during weaponization which is the first part of the kill chain where the attacker gets access to your network.


Delivery

The Delivery phase, where the attacker installs malware after successful authentication from the Weaponization phase, is where he or she is able to download their malware on your system. The process of downloading malware tends to have a few aspects where CyGlass can identify abnormal behavior including inappropriate external to internal communications, suspicious tunneling, and an unusual volume of communication any protocol that could indicate a download.  Below is an example of a CyGlass Smart Alert depicting a high volume of data transfer.  In the “Number of Flows with High Volume to External” pane, it is easy to see how substantial the deviation is from the established baseline in terms of packet count. 

To take a closer look at the traffic we can select the type of conversation which includes ICMP, TCP, and UDP options. Even further, we can select the abnormality type we want to evaluate from hundreds of options as shown below: 


Several of these options can help detect a threat like FritzFrog even before it is known by the security research community.  This gives your organization the ability to rapidly respond to unusual activity and shut it down before it propagates through your entire network. The bigger the network infection the more substantial the cost and time required for remediation and restoration. 

CyGlass is a hands-off platform designed to alert your organization to unusual network behavior.  New malware strains like FritzFrog are abundant which means that the days where an antivirus software and a well-configured firewall can provide your business adequate protection are long gone. However, the situation isn’t as dire as it may seem. CyGlass is easy to configure and designed to handle the network monitoring for you so you can continue running your business and delivering value to your customers.  Since CyGlass is a robust network defense platform, it is capable of alerting your team to potentially nefarious behavior at every stage of the Lockheed Cyber Kill Chain. Today, we only went through the first three phases for the sake of time. To learn more about what CyGlass can do to protect your network at every phase of the Kill Chain, please contact us for a demo.