Chinese Hackers Targeting Juniper Networks Routers, So Patch Now
A recent analysis by Google's cybersecurity team Mandiant has revealed that Chinese hackers are targeting Juniper Networks routers with different modifications of backdoor malware, in an attempt to access defense, technology, and telecommunications organizations in the US, and Asia.
Mandiant wrote a detailed report on the group, which they attribute to the China-nexus espionage group UNC3886. The researchers first spotted malicious activity in mid-2024, and observed that the attackers were using various tactics to infiltrate Junos OS-powered devices.
The attackers exploited a vulnerability in Veriexec, a kernel-based file integrity subsystem that protects the OS from unauthorized code binaries such as libraries and scripts. "Execution of untrusted code is still possible if it occurs within the context of a trusted process," Mandiant explained. The researchers discovered that UNC3886 was able to circumvent this protection by injecting malicious code into the memory of a legitimate process.
The attackers targeted their victims with six distinct malware samples, all of which are a variant of the TINYSHELL backdoor with unique capabilities. While all have the same core backdoor functionality, they differ in terms of activation methods and different OS-specific features.
Mandiant's investigation revealed that the attackers "continue to show a deep understanding of the underlying technology" of the appliances being targeted. The researchers recommended that users upgrade their Juniper devices to the latest images, which include mitigations and updated signatures for the Juniper Malware Removal Tool (JMRT).
The JMRT should be activated after the upgrade to scan the integrity of the endpoints. Mandiant added that at the time of writing, they had not identified any technical overlaps between activities detailed in this blog post and those publicly reported by other parties as Volt Typhoon or Salt Typhoon.
This suggests that Salt Typhoon, Volt Typhoon, and UNC3886 are distinct entities, but possibly working under the same umbrella. It is essential for organizations to take immediate action to patch their Juniper Networks routers and prevent potential cyber attacks.
What You Need to Do
To protect yourself from this vulnerability, it is recommended that you upgrade your Juniper devices to the latest images. This will ensure that your appliances are protected against the TINYSHELL backdoor malware variants.
You should also activate the Juniper Malware Removal Tool (JMRT) after the upgrade and scan the integrity of the endpoints regularly. By taking these precautions, you can prevent unauthorized access to your devices and networks.