Juniper routers, widely used by telecoms, large companies, and data centers, are being targeted by a Chinese cyberespionage group. Google Mandiant researchers have discovered custom backdoors tailored for end-of-life hardware.
A China-nexus espionage group, labeled UNC3886, has been deploying custom backdoors on Juniper Networks' Junos OS routers.
The group is highly adept and has a long history of targeted attacks on network devices and virtualization technologies with zero-day exploits.
“UNC3886 interests seem to be focused mainly on defense, technology, and telecommunication organizations located in the US and Asia,” Google Mandiant researchers said.
The hackers were discovered in Juniper MX routers in mid-2024. The routers were running end-of-life hardware and software.
UNC3886 has been using at least six custom backdoors based on TINYSHELL, a lightweight backdoor shell that threat actors use to gain remote access and execute commands through a command-line interface.
“The malware deployed on Juniper Networks’ Junos OS routers demonstrates that UNC3886 has in-depth knowledge of advanced system internals,” the report reads.
“The backdoors had varying custom capabilities, including active and passive backdoor functions, as well as an embedded script that disables logging mechanisms on the target device.”
UNC3886 previously mostly focused its operations on edge network devices. The latest activity demonstrates a shift to also targeting internal networking infrastructure, such as Internet Service Provider (ISP) routers.
Ghost in the router
The threat actor prioritizes stealth and maintains long-term persistence in its operations. To gain the initial access, UNC3886 has to bypass Veriexec, a Junos OS file integrity subsystem that protects against unauthorized code tampering.
Therefore, the hackers specifically target end-of-life hardware and software to gain root access. The group first uses legitimate credentials to access a terminal server that manages network devices. Then, they bypass Veriexec protection by injecting malicious code into the memory of a legitimate process.
Mandiant did not find evidence of successful exploitation of flaws already addressed by Junpier in supported product versions.
UNC3886 then deploys various versions of backdoor malware, capable of log and forensics artifact tampering, indicating a focus on long-term persistence while minimizing the risk of detection.
Each of the six malware variants analyzed by Google researchers has unique capabilities and differs greatly in terms of activation methods and additional Junos OS-specific features.
“It grants the capability for a long-term, high-level access to the crucial routing infrastructure, with a potential for more disruptive actions in the future. A concerted effort is required to safeguard these critical systems and ensure the continued stability and security of the internet,” the researchers warn.
Two backdoor variants, named “appid” and “to,” actively communicate with command and control servers, use AES to encrypt network traffic and are capable of various standard TINYSHELL commands, such as sending, downloading, launching files and binaries, changing configurations, and others.
The third sample, called “irad,” acts as a packed sniffer. It inspects network packets on the wire and activates its backdoor capabilities when it detects a “magic string.” It operates in both active and passive modes and has custom commands for doing nothing or relaying connections.
The fourth one, “Impad,” has additional capabilities to launch an external script and inject a process into two legitimate Junos OS processes to disable logging and suppress alerts.
“The main purpose of this malware is to disable all possible logging before the operator connects to the router to perform hands-on activities and then later restore the logs after the operator disconnects,” Google Mandiant said.
The “jdosd” variant operates over UDP protocol on a fixed port, it uses a custom (and buggy) RC4 implementation for encryption. The last variant, “oemd,” receives command-and-control server address and port by binding on specific network interfaces.
Mandiant worked with Juniper Networks to investigate the activity and recommends upgrading Juniper devices to the latest images released by the company.
The report also recommends that organizations implement a centralized Identity and Access Management (IAM) system with robust multi-factor authentication (MFA), as well as enhancing configuration management, monitoring, and vulnerability patching.
Your email address will not be published. Required fields are markedmarked