Article Details

Chinese cyberspies backdoor Juniper routers for stealthy access. Chinese hackers are deploying custom backdoors on Juniper Networks Junos OS MX routers that have reached end-of-life (EoL) and no longer receive security updates. The backdoors are primarily variants of the TinyShell malware, an open-source tool that facilitates data exchange and command execution on Linux systems, and which has been used by multiple threat groups over the years. The attacks were discovered in mid-2024 by Mandiant, who attributed the attacks to a cyberespionage threat actor known as UNC3886. "In mid 2024, Mandiant discovered threat actors deployed custom backdoors operating on Juniper Networks' Junos OS routers," explains a new report by Mandiant. "Mandiant attributed these backdoors to the China-nexus espionage group, UNC3886. Mandiant uncovered several TINYSHELL based backdoors operating on Juniper Networks' Junos OS routers." This threat actor is known for sophisticated attacks utilizing zero-day vulnerabilities to compromise virtualization platforms and edge networking devices. In 2023, Chinese hackers were behind a series of attacks on government organizations using a Fortinet zero-day vulnerability (CVE-2022-41328) to deploy custom backdoors. Later that year, the threat actors exploited a VMware ESXi zero-day vulnerability to backdoor ESXi hosts. Attacking Juniper routers with 6 backdoors Mandiant has observed UNC3886 attacks starting from terminal servers used for managing network devices, where the threat actors used compromised credentials to access the Junos OS CLI and escalate to FreeBSD shell mode. The researchers note that Junos OS has a file integrity system named 'Veriexec' that prevents unauthorized code from running on devices. However, they discovered that code injected into trusted processes could still be executed. "Veriexec protection prevents unauthorized binaries from executing. This poses a challenge for threat actors, as disabling veriexec can trigger alerts," explains the Mandiant researchers. "However, execution of untrusted code is still possible if it occurs within the context of a trusted process. Mandiant's investigation revealed that UNC3886 was able to circumvent this protection by injecting malicious code into the memory of a legitimate process." Utilizing this method, UNC3886 installed the six custom backdoors on the MX routers, all based on TinyShell: For stealth and persistence, each of the six backdoors used by UNC3886 in the attacks has a distinct C2 communication method and uses a separate set of hardcoded C2 server addresses. Given that UNC3886 targets end-of-life Juniper MX routers, the priority should be replacing these devices with new models that are actively supported and then upgrading those to the latest firmware. Although Juniper did not release fixes this time, the vendor published a bulletin that includes mitigation recommendations and updated signatures for its Juniper Malware Removal Tool (JMRT). System administrators should also strengthen authentication security by using a centralized Identity & Access Management (IAM) system and enforcing multi-factor authentication (MFA) for all network devices. A complete list of the indicators of compromise (IoCs) related to this campaign and YARA and Snort/Suricata rules are provided at the bottom of Mandiant's report. Juniper routers were also previously targeted in J-Magic malware attacks that opened a reverse shell to the device when it received specially crafted packets. This campaign was designed for low-detection and long-term access to corporate networks.   Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.