Ethical Hacking News
Chinese hackers have been exploiting vulnerabilities in Juniper Networks' Junos OS MX routers, which are end-of-life and no longer receiving security updates, to deploy custom backdoors. This malicious activity was discovered by Mandiant in mid-2024, and attributed to a cyberespionage threat actor known as UNC3886.
The attackers used the TinyShell malware, an open-source tool that facilitates data exchange and command execution on Linux systems, to gain access to the routers. The malware is primarily used by multiple threat groups over the years, including Chinese hackers.
To prevent similar attacks in the future, system administrators should consider replacing these devices with new models that are actively supported and then upgrading those to the latest firmware. Strengthening authentication security is also crucial, as attackers may attempt to use compromised credentials to access these devices.
The full report from Mandiant can be accessed on their website.
Chinese hackers exploited vulnerabilities in Juniper Networks' Junos OS MX routers, which are end-of-life and no longer receive security updates. The attackers used the TinyShell malware to gain access to the routers and deploy custom backdoors. The custom backdoors were based on six different variants of the TinyShell malware, each with its own distinct communication method. UNC3886 is a known cyberespionage threat actor that uses zero-day vulnerabilities to compromise virtualization platforms and edge networking devices. The attackers used compromised credentials to access the Junos OS CLI and escalate to FreeBSD shell mode on terminal servers. "Veriexec protection" was circumvented by injecting malicious code into the memory of a legitimate process, allowing the attackers to install custom backdoors. Four out of six custom backdoors were active, while two were passive and mimicked legitimate processes. The attackers targeted end-of-life Juniper MX routers, which are vulnerable to exploitation due to no longer receiving security updates.
Chinese hackers have been exploiting vulnerabilities in Juniper Networks' Junos OS MX routers, which are end-of-life and no longer receive security updates, to deploy custom backdoors. This malicious activity was discovered by Mandiant in mid-2024, and attributed to a cyberespionage threat actor known as UNC3886.
The attackers used the TinyShell malware, an open-source tool that facilitates data exchange and command execution on Linux systems, to gain access to the routers. The malware is primarily used by multiple threat groups over the years, including Chinese hackers. The custom backdoors deployed by the attackers were based on six different variants of the TinyShell malware, each with its own distinct communication method and a separate set of hardcoded C2 server addresses.
The UNC3886 threat actor is known for sophisticated attacks that utilize zero-day vulnerabilities to compromise virtualization platforms and edge networking devices. In 2023, Chinese hackers were behind a series of attacks on government organizations using a Fortinet zero-day vulnerability (CVE-2022-41328) to deploy custom backdoors. Later that year, the threat actors exploited a VMware ESXi zero-day vulnerability to backdoor ESXi hosts.
The attackers used compromised credentials to access the Junos OS CLI and escalate to FreeBSD shell mode on terminal servers used for managing network devices. The researchers note that Junos OS has a file integrity system named 'Veriexec' that prevents unauthorized code from running on devices. However, they discovered that code injected into trusted processes could still be executed.
"Veriexec protection prevents unauthorized binaries from executing," explains the Mandiant researchers. "This poses a challenge for threat actors, as disabling veriexec can trigger alerts." The attackers were able to circumvent this protection by injecting malicious code into the memory of a legitimate process.
Utilizing this method, UNC3886 installed the six custom backdoors on the MX routers, all based on TinyShell. The backdoors included:
* appid: An active backdoor that mimics the legitimate process' appidd. It establishes a remote shell session, allows uploading/downloading files, and can act as a proxy for malicious traffic.
* to: An active backdoor that mimics the legitimate process' top. It functions similarly to appid but uses different command-and-control (C2) addresses.
* irad: A passive backdoor that mimics the legitimate process' irad. It operates as a packet sniffer backdoor, remaining dormant until activated by a magic ICMP string embedded in network traffic. Once triggered, it establishes a remote shell session while evading traditional detection methods.
* jdosd: A passive backdoor that mimics the legitimate 'jddosd' process. It listens on UDP port 33512 and activates when it receives a magic value (0xDEADBEEF) from the attacker. Once enabled, it provides remote shell access, allowing attackers to execute commands covertly.
* oemd: A passive backdoor that mimics the legitimate process 'oamd.' It is designed to be network-activated, binding itself to specific network interfaces rather than a fixed port. It communicates with C2 over TCP using AES encryption to ensure stealthy, encrypted control.
* lmpad: A utility and passive backdoor that mimics the legitimate 'lmpd' process. It is primarily used to turn off logging and security monitoring before an attack, modifying Juniper's SNMP and management daemons to prevent detection. After attacker operations, it can restore logs, erasing forensic traces of the intrusion.
The attackers targeted end-of-life Juniper MX routers, which are no longer receiving security updates. This makes them vulnerable to exploitation by attackers. To prevent similar attacks in the future, system administrators should consider replacing these devices with new models that are actively supported and then upgrading those to the latest firmware.
In addition, strengthening authentication security is crucial. System administrators should use a centralized Identity & Access Management (IAM) system and enforce multi-factor authentication (MFA) for all network devices. This will make it more difficult for attackers to gain access to these devices.
A complete list of the indicators of compromise (IoCs) related to this campaign and YARA and Snort/Suricata rules are provided at the bottom of Mandiant's report.
Related Information:
https://www.ethicalhackingnews.com/articles/Stealthy-Backdoors-How-Chinese-Cyberspies-Exploited-Vulnerabilities-in-Juniper-Routers-for-Long-Term-Access-ehn.shtml
Published: Wed Mar 12 14:39:33 2025 by llama3.2 3B Q4_K_M
