Tracked as UNC3886, China and Nexus Cyberspy Group has been observed targeting Juniper network’s end-of-life MX routers as part of a campaign designed to deploy custom backdoors, highlighting its ability to focus on internal network infrastructure.
“Backdoor has a variety of custom features, including active and passive backdoor functions, and an embedded script that disables logging mechanisms on target devices,” Google-owned Mandiant said in a report shared with Hacker News.
Threat intelligence companies described development as an enemy commercial evolution. This historically exploited zero-day vulnerabilities in Fortinet, Ivanti, and VMware devices to compromise networks of interest and establish persistence for remote access.
First documented in September 2022, the hacking crew has been rated “very proficient” and can target edge devices and virtualization technologies with the ultimate goal of violating defense, technology and communications organizations in the US and Asia.
These attacks usually take advantage of the fact that these network perimeter devices do not have security surveillance and detection solutions, allowing them to operate uninterrupted and without attention.
“The compromise on routing devices is a recent trend in tactics of espionage adversaries, recognizing the ability to access critical routing infrastructures for long-term, high levels of access, and has the potential for more disruptive behavior in the future,” Mandiant said.
The latest activities discovered in mid-2024 include the use of implants based on Tinyshell, a C-based backdoor that was used in the past by various Chinese hacking groups such as Liminal Panda and Velvet Ali.
Mandiant has identified six different Tiny Shell-based backdoors, saying each has unique features.
The AppID that supports file upload/download, interactive shell, sock proxy, and configuration changes (command and control server, port number, network interface, etc.) is the same as the APPID, but uses a different set of hardcoded C2 server IRADs with passive backdoors that work from packages that access the packets of LIBPCAP-based packet sniffets running sniffets packets. Utilities and passive backdoors launch external scripts to perform process injection into legitimate JUNOS OS processes, stalling JDOSD, which stalls logs. This implements UDP backdoor using file transfer and remote shell function OEMD.
It is also worth noting that bypassing the verified Exec (Veriexec) protection of Junos OS, it takes steps to run malware. This prevents untrusted code from being executed. This is achieved by gaining privileged access to the router from the terminal server used to manage network devices using legitimate credentials.
It then uses advanced privileges to inject malicious payloads into the memory of the legitimate cat process, leading to the execution of LMPAD backdoors while Veriexec is enabled.
“The main purpose of this malware is to disable all possible logging before the operator connects to the router and performs practical activities, then restores the logs after the operator is disconnected,” Mandiant pointed out.
Other tools deployed by UNC3886 include rootkits such as reptiles and medusas. Pithook hijacks SSH authentication and captures SSH credentials. and ghost towns for anti-maintenance purposes.
We recommend that you upgrade your Juniper device to the latest images released by Juniper Network. This includes mitigation and updated signatures for the Juniper Malware Removal Tool (JMRT).
Development is just over a month after Lumen Black Lotus Labs revealed that the enterprise-grade Juniper Network router has become the target of custom backdoors as part of a campaign called J-Magic, which offers a known backdoor variant named the CD00R.
“The malware deployed on Juniper Networks’ Junos OS routers indicates that UNC3886 has advanced system in-depth knowledge of the internal system,” says Mandiant Researchers.
“In addition, UNC3886 continues to tamper with log and forensic artifacts and use passive backdoors to prioritize stealth in its operations, focusing on long-term sustainability, while minimizing the risk of detection.”
Source link
