Chinese nation-state espionage actors have deployed backdoor malware on Juniper Networks’ Junos operating system (OS) routers, a new analysis by Mandiant has revealed.
Impacted organizations have been urged to upgrade their Juniper devices to the latest images released by the firm, which includes mitigations and updated signatures.
The affected Juniper routers were running end-of-life hardware and software.
Juniper Networks Junos OS is a proprietary OS that powers most Juniper routing, switching and security devices. It is used in a range of important industries, including telecommunications, data centers, enterprise networking, service providers, cloud computing and government.
The activity has been attributed to a Chinese espionage group tracked by Mandiant as UNC3886. This group focuses on stealing and leveraging legitimate credentials to move laterally within networks and maintain long-term access to victim systems.
The espionage group historically targets network devices and virtualization technologies with zero-day exploits.
It primarily targets organizations in the defense, technology and telecommunication sectors.
Mandiant said the findings demonstrate how Chinese espionage actors are expanding their compromise of networking infrastructure beyond network edge devices to include internal networking infrastructure, such as Internet Service Provider (ISP) routers.
“The compromise of routing devices is a recent trend in the tactics of espionage-motivated adversaries as it grants the capability for a long-term, high-level access to the crucial routing infrastructure, with a potential for more disruptive actions in the future. A concerted effort is required to safeguard these critical systems and ensure the continued stability and security of the internet,” the researchers noted.
Mandiant added that it has not identified any technical overlaps between this UN3886 activity and other recently observed campaigns by Chinese groups such as Volt Typhoon or Salt Typhoon.
Mandiant worked with Juniper to investigate the activity.
How the Attackers Infected Juniper Routers
Mandiant’s investigation revealed that UNC3886 was able to overcome Junos OS’ protection subsystem, Veriexec, using a technique called process injection, in which attackers inject malicious code into the memory of a legitimate process.
Veriexec is a kernel-based file integrity subsystem designed to protect the system against unauthorized code including binaries, libraries and scripts.
The malicious code injection was achieved by gaining privileged access to a Juniper router from a terminal server used for managing network devices via legitimate credentials. They then entered the FreeBSD shell from the Junos OS command-line interface (CLI), allowing for commands to be received and executed.
Within the shell environment, the attackers generated a base64 encoded file named ldb.b64, which was decoded using base64 to create a compressed archive named ldb.tar.gz. This archive was subsequently used to extract malicious binaries, which enabled the backdoor to be executed on the routers.
The researchers identified six distinct malware samples across multiple Juniper routers, each of which was a modified version of a Tinyshell backdoor.
TinyShell is an open-source backdoor written in C that communicates using a custom binary protocol.
The deployed TinyShell-based backdoors had varying custom capabilities. These include active and passive backdoor functions, and an embedded script that disables logging mechanisms on the target device.
These functions all worked towards the upload and download of data in the networks.
How to Protect Against Compromise of Network Routers
Mandiant set out several steps to mitigate the compromise of network routers. These include:
- Implement a centralized identity and access management (IAM) system with robust multi-factor authentication (MFA) and granular role-based access control (RBAC) for managing network devices
- Implement a network configuration management that supports configuration validation against defined templates and standards
- Introduce enhanced monitoring solutions with a process to regularly review the effectiveness of detection
- Prioritize patching and mitigation of vulnerabilities in network devices, including those in lesser-known operating systems
- Implement a device lifecycle management program that includes proactive monitoring, automated software updates and end-of-life (EOL) replacement planning for network devices
- Leverage proactive threat intelligence to continually evaluate and improve the effectiveness of security controls against emerging threats
Image credit: bluestork / Shutterstock.com
