Guardicore, a leader in data center and cloud security, today announced that its global research division, Guardicore Labs, has launched the Botnet Encyclopedia. Guardicore’s Botnet Encyclopedia provides a continuously updated universal knowledge base of past and present botnet campaigns researched by the Labs team – many of which previously unknown to the cybersecurity community – showcasing the greatest threats to enterprise security in a single, open location.
The Botnet Encyclopedia is powered by the Guardicore Global Sensors Network (GGSN), a network of detection sensors deployed in data centers and cloud environments around the world, capable of capturing and recording complete attack flows to the highest resolution. The Botnet Encyclopedia is designed to allow security teams, IT teams, researchers and the cybersecurity community at large to better understand and protect themselves from persistent and advanced threats, identified as campaigns.
FritzFrog, a mass-scale attack campaign active since January 2020 in which a sophisticated Golang binary is deployed on brute-forced SSH servers, is one of the first Botnet Encyclopedia campaign entries. Research identifies FritzFrog as a highly concerning peer-to-peer botnet with no centralized infrastructure, rather one whose control is distributed among its nodes. Its discovery as a decentralized worm makes it particularly unusual and dangerous. In addition, the research team identified racist terminology hard coded in the malware.
“FritzFrog is the type of threat that must be recognized as a campaign due to its operational longevity and danger it presents, particularly as a previously unknown threat,” said Ophir Harpaz, security researcher, Guardicore. “It’s our mission to bring these campaigns to light on a rolling basis and provide a level of context unavailable in any other public knowledge base in order to equip the cybersecurity community with the required information to defend itself and mitigate risk. Our research and analysis of FritzFrog is ongoing. We’ve been unearthing new findings into its enterprise impact and attacker attribution on a daily basis. We encourage all contributions, questions and suggestions from the community to enhance our findings into FritzFrog and the entire Botnet Encyclopedia.”
Botnets can be found within the encyclopedia using free-text search, allowing users to search all entries using any type of indicator of compromise (IOC) – IP addresses, domains, file names, names of services and scheduled tasks, and more. Extending beyond common cyber threat intelligence feeds and services, the Botnet Encyclopedia contextualizes advanced threats with tiered analysis including:
- Campaign information including name, variants, time frame of identification within the GGSN and links to external resources detailing the campaign.
- IOCs associated with the campaign including IP addresses from which attacks originate, IPs and domains holding outgoing attack connections, and files dropped or created as part of the attack.
- Full attack flow as it was captured and saved by the GGSN, accompanied by detailed analysis from Guardicore Labs’ global team consisting of hackers, researchers and industry experts.
“Winning the war against cybercrime cannot be achieved by any one individual or organization, it must be a collaborative global effort,” said Harpaz. “Threat intelligence and knowledge sharing has long been the cornerstone of such efforts. With the Botnet Encyclopedia, we are enhancing the ability for teams and organizations to turn intelligence into action with publicly accessible, deep context into the most dangerous campaigns targeting enterprises around the world; past, present and future.”