Chinese nation-state espionage actors have deployed backdoor malware on Juniper Networks’ Junos operating system (OS) routers, a new analysis by Mandiant has revealed. Impacted organizations have been urged to upgrade their Juniper devices to the latest images released by the firm, which includes mitigations and updated signatures. The affected Juniper routers were running end-of-life hardware and software. Juniper Networks’ Junos OS, a proprietary OS that powers most Juniper routing, switching, and security devices, is used in a range of important industries, including telecommunications, data centers, enterprise networking, service providers, cloud computing, and government.
The activity has been attributed to a Chinese espionage group tracked by Mandiant as UNC3886. This group focuses on stealing and leveraging legitimate credentials to move laterally within networks and maintain long-term access to victim systems. The espionage group historically targets network devices and virtualization technologies with zero-day exploits and primarily targets organizations in the defense, technology, and telecommunication sectors. Mandiant said the findings demonstrate how Chinese espionage actors are expanding their compromise of networking infrastructure beyond network edge devices to include internal networking infrastructure, such as Internet Service Provider (ISP) routers.
How the Attackers Infected Juniper Routers
Mandiant’s investigation revealed that UNC3886 was able to overcome Junos OS’ protection subsystem, Veriexec, using a technique called process injection, in which attackers inject malicious code into the memory of a legitimate process. Veriexec is a kernel-based file integrity subsystem designed to protect the system against unauthorized code, including binaries, libraries, and scripts. The malicious code injection was achieved by gaining privileged access to a Juniper router from a terminal server used for managing network devices via legitimate credentials. They then entered the FreeBSD shell from the Junos OS command-line interface (CLI), allowing for commands to be received and executed.
Within the shell environment, the attackers generated a base64 encoded file named ldb.b64, which was decoded using base64 to create a compressed archive named ldb.tar.gz. This archive was subsequently used to extract malicious binaries, which enabled the backdoor to be executed on the routers. The researchers identified six distinct malware samples across multiple Juniper routers, each of which was a modified version of a Tinyshell backdoor. Tinyshell is an open-source backdoor written in C that communicates using a custom binary protocol. The deployed Tinyshell-based backdoors had varying custom capabilities, including active and passive backdoor functions, and an embedded script that disables logging mechanisms on the target device.
The Impact and Capabilities of the Backdoor Malware
The functions of the deployed Tinyshell-based backdoors worked towards the upload and download of data within the networks, essentially granting the attackers unfettered access to monitor and exfiltrate sensitive data. This level of access poses a significant risk to the affected organizations, as it allows the attackers to maintain a foothold within the network infrastructure for extended durations without being detected. The backdoors enabled by the malware are capable of executing commands remotely, providing the attackers with the ability to manipulate network traffic, create network disruptions, and potentially launch further attacks from the compromised devices.
Mandiant added that it has not identified any technical overlaps between this UNC3886 activity and other recently observed campaigns by Chinese groups such as Volt Typhoon or Salt Typhoon. This indicates that the attack on Juniper routers represents a distinct and evolving threat vector targeting crucial network infrastructure. The sophistication of this attack highlights the increasing capability of Chinese espionage actors to penetrate deeply into network environments, utilizing advanced tactics to bypass established security measures and maintain their presence within compromised systems. This development underscores the critical need for organizations to enhance their defensive strategies to safeguard against such advanced threats.
How to Protect Against Compromise of Network Routers
Chinese espionage groups have successfully deployed backdoor malware on routers running Juniper Networks’ Junos operating system, according to a new analysis by Mandiant. Organizations using these affected Juniper devices are advised to upgrade to the latest software versions, which come with mitigations and updated signatures. Notably, the impacted routers were running outdated hardware and software.
Junos OS, a proprietary operating system that powers most Juniper routing, switching, and security devices, is widely used across various industries, including telecommunications, data centers, enterprise networking, service providers, cloud computing, and government.
Mandiant has attributed this activity to a Chinese espionage group known as UNC3886. This group specializes in stealing legitimate credentials to move laterally within networks, ensuring long-term access to victim systems. They often target network devices and virtualization technologies with zero-day exploits, focusing mainly on organizations in defense, technology, and telecommunications. The recent findings by Mandiant highlight how Chinese espionage actors are extending their reach beyond network edge devices to internal networking infrastructure, such as ISP routers.