Open knowledge base details botnet threats
The Botnet Encyclopedia, says the company, showcases the greatest threats to enterprise security – many of which are previously unknown to the cybersecurity community – in a single, open location. It is powered by the Guardicore Global Sensors Network (GGSN) – a network of detection sensors deployed in data centers and cloud environments around the world, capable of capturing and recording complete attack flows to the highest resolution.
The encyclopedia is designed to allow security teams, IT teams, researchers and the cybersecurity community at large to better understand and protect themselves from persistent and advanced threats, identified as campaigns. One of the first Botnet Encyclopedia campaign entries is FritzFrog, a mass-scale attack campaign active since January 2020 in which a sophisticated Golang binary is deployed on brute-forced Secure Shell (SSH) servers.
The company’s research identifies FritzFrog as a highly concerning peer-to-peer botnet with no centralized infrastructure, rather one in which control is distributed among its nodes. Its discovery as a decentralized worm, says the company, makes it particularly unusual and dangerous. In addition, the research team identified racist terminology hard coded in the malware.
“FritzFrog is the type of threat that must be recognized as a campaign due to its operational longevity and danger it presents, particularly as a previously unknown threat,” says Ophir Harpaz, security researcher, Guardicore. “It’s our mission to bring these campaigns to light on a rolling basis and provide a level of context unavailable in any other public knowledge base in order to equip the cybersecurity community with the required information to defend itself and mitigate risk.”
Botnets can be found within the encyclopedia using free-text search, allowing users to search all entries using any type of indicator of compromise (IOC) – IP addresses, domains, file names, names of services and scheduled tasks, and more. Extending beyond common cyber threat intelligence feeds and services, the Botnet Encyclopedia contextualizes advanced threats with tiered analysis including:
- Campaign information including name, variants, time frame of identification within the GGSN and links to external resources detailing the campaign.
- IOCs associated with the campaign including IP addresses from which attacks originate, IPs and domains holding outgoing attack connections, and files dropped or created as part of the attack.
- Full attack flow as it was captured and saved by the GGSN, accompanied by detailed analysis from Guardicore Labs’ global team consisting of hackers, researchers and industry experts.
“Winning the war against cybercrime cannot be achieved by any one individual or organization, it must be a collaborative global effort,” says Harpaz. “Threat intelligence and knowledge sharing has long been the cornerstone of such efforts. With the Botnet Encyclopedia, we are enhancing the ability for teams and organizations to turn intelligence into action with publicly accessible, deep context into the most dangerous campaigns targeting enterprises around the world; past, present and future.”