Juniper routers: Customized backdoors waiting for Magic Packets
IT researchers have discovered and investigated backdoors on Juniper routers. They are activated by magic packets.
(Image: Erstellt mit KI in Bing Designer durch heise online / dmk)
IT security researchers have examined backdoors in Juniper routers with which the devices were equipped by the perpetrators during a wave of attacks. A special feature is that they first passively listen for so-called magic packets before they become active and grant access.
In their in-depth analysis, the Black Lotus team at Lumen write that they have dubbed the campaign in which the backdoor was distributed "J-magic". The first samples of the backdoor were found in the Virustotal malware database in September 2023. The IT researchers were unable to reconstruct how the attackers initially broke into affected Juniper routers.
J-magic backdoor is based on open source
After breaking into the routers, the perpetrators then installed the backdoor. It is therefore a variant of cd00r. This is an open source backdoor that was published on Packetstorm in 2000 as a proof-of-concept.
Videos by heise
The variant under investigation can passively listen for five predefined parameters, or magic packets, before activating itself. If such a magic packet is detected, the backdoor agent sends back a second challenge. If this is passed, J-magic opens a reverse shell on the local file system and allows the masterminds to control the compromised device, steal data or distribute malicious software.
The Lumen employees assume that Juniper's enterprise routers are an attractive target, as there are hardly any – if any – host-based monitoring tools in use. The devices are rarely rebooted. Malware tailored for these routers is designed for long uptimes and is only active in memory, which makes detection more difficult and promises long-term access to malware that implants itself in the firmware.
Routers at the edge of the network or as VPN gateways, as many were in the observed campaign, are the most promising targets. The position opens the way into the rest of the corporate network. The campaign lasted from around mid-2023 until at least mid-2024, Lumen explains further. Similarities to the "Seaspy" backdoor, which was used to attack Barracuda Email Security Appliances (ESG) in 2023, can be seen. This was also based on cd00r, but the IT researchers do not have enough data to link the two campaigns with a high level of security.
Interested parties can find more information on the technical details of the backdoor in the blog post at Lumen.
Last October, Juniper patched more than 30 security vulnerabilities in the software of the company's devices. Some gaps, including in the Junos OS router operating system, were considered critical. Attackers could presumably have misused some of them to set up the analyzed backdoor.
(dmk)
