Network administrators using routers from Juniper Networks are being urged to scan for possible compromise after the discovery that an unknown threat actor has been installing a backdoor in customer routers since at least 2023.
The bad news: According to researchers at Lumen Technology’s Black Lotus Labs, the unknown attacker can install a reverse shell on the local file system so they can control the router, steal data, or deploy more malware.
Even more bad news: In a commentary, SANS Institute instructor Moses Frost noted that “Juniper is installed in many internet service providers’ backbones, and so having a backdoor on these systems can be a major problem.”
The good news, at least so far: Researchers think only 36 routers, most of which were configured as VPN gateways, were vulnerable when it scanned the internet for possibly impacted Juniper routers between March and September 2024.
“If I were the network administrator or the CISO, I would first try to understand if I was impacted,” Moses said in an email to CSO. “Lumen’s write-up has enough data to craft a script for this.”
Regardless, he advised, patch or replace your device. “I assume that Juniper would have more guidance, depending on what they have seen of this infection,” he said. “I would then rotate all passwords, enable 2FA, and eliminate remote access through the internet unless it’s a VPN device. Management interfaces should never be exposed to the internet. Look at procuring an Attack Surface Management solution and keep it maintained.”
“If you are affected or compromised, then this becomes such a challenge,” he added. “First, it’s re-imaging or, in some cases, hardware replacement, depending on the depth of the infection. Most of the time, deleting and replacing the firmware from scratch is enough, but Juniper may be of more assistance. Secondarily, there is a J-Door infection on your router how did it get there? If you are impacted, someone has executed scripts on your device,” he said.
“From what this write-up alludes to, it’s a theory from Lumen that seems to make sense. Someone typically can only execute scripts if you log in to your router or an unknown exploit exists,” he added. “I will assume that the more straightforward explanation that someone has logged in is the more likely assumption. Closing access to login prompts from the internet, rotating passwords, and enabling 2FA are all part of a standard practice. If you didn’t know you had this device in your network, look at an attack surface management tool.”
Ed Dubrovsky, chief operating officer at Cypfer, an incident response firm, noted so far this is “not a mass impact” event.
Still, he noted that threat actors are increasingly trying to compromise security devices because they are gaining power and control over access to digital assets.
“The majority of organizations are still dependent on vendor notifications or alerts, following standard processes such as change management to implement corrections and that results in a longer time to remediate,” he said. “A closer alignment between threat feeds and administration/operation function is advised.”
According to Lumen researchers, vulnerable routers are compromised by a variant of the open source cd00r backdoor, aimed at devices running UNIX, that has a passive agent looking for devices with five parameters. If the device has at least one of them, it sends back a “magic packet” to the attacker. The attacker then installs a reverse shell on the local file system so they can control the router, steal data, or deploy more malware.
The Lumen researchers call this campaign J-magic.
So far they don’t know how the Juniper routers are compromised.
Lumen urged network admins and infosec pros to follow this advice from the SANS Institute to defend against the cd00r backdoor: “There are no reliable signatures to detect cd00r, as it can be easily altered,” the guidance noted.
“The best form of defense is for an organization to adopt practices that will prevent system compromise, such as monitoring for vulnerabilities and deploying intrusion detection in their environment. Moreover, an organization that develops a strong incident handling capability will position itself to respond to a variety of incident scenarios, including those incidents that involve the use of cd00r,” it said.
Lumen researchers also urged admins to search their environments for all indicators of compromise mentioned in its report, review network logs for signs of data exfiltration and lateral movement, and look for common persistence mechanisms.
CSO asked Juniper Networks for comment on the Lumen report on Tuesday. No response was received by press time.
“We believe enterprise grade routers present an attractive target as they do not normally have many, if any, host-based monitoring tools in place,” said the Lumen report. “Typically, these devices are rarely power-cycled; malware tailored for routers is designed to take advantage of long uptime and live exclusively in-memory, allowing for low-detection and long-term access compared to malware that burrows into the firmware. Routers on the edge of the corporate network or serving as the VPN gateway, as many did in this campaign, are the richest targets. This placement represents a crossroads, opening avenues to the rest of a corporate network.
“Our telemetry indicates the J-magic campaign was active from mid-2023 until at least mid-2024; in that time, we observed targets in the semiconductor, energy, manufacturing, and IT verticals among others,” it noted.
While the majority of the suspected impacted Juniper routers acted as VPN gateways, Lumen researchers found a second set of limited IP addresses had an exposed NETCONF port, which is used to help automate router configuration information and management.
Usually router-oriented malware is aimed at devices from Cisco Systems running its IOS operating system, the report noted, because of Cisco’s market share. “The J-magic campaign marks the rare occasion of malware designed specifically for Junos OS,” said the report. Junos OS a variant of FreeBSD, a Unix-like operating system.
Magic Packet malware is increasingly being used against perimeter devices, Lumen said. The first example was BPFdoor, followed by Symbiote.
Source:: Network World