China-linked APT UNC3886 Targets EoL Juniper Routers

A sophisticated China-linked cyber espionage group, tracked as UNC3886, has been identified by Mandiant researchers as targeting End-of-Life (EOL) Juniper Networks' Junos OS MX routers. The attacks, which began in mid-2024, involved the deployment of custom backdoors on these vulnerable devices.

The TINYSHELL-based backdoors, used by UNC3886, had various capabilities, including active and passive access, as well as a script to disable logging. Mandiant collaborated with Juniper Networks to investigate the attacks, which revealed that the affected routers were running outdated hardware and software, making them vulnerable to exploitation.

UNC3886 is a sophisticated China-linked APT group that targets network devices and virtualization technologies using zero-day exploits. Its primary focus is on defense, technology, and telecommunications sectors in the US and Asia. In 2023, the group targeted multiple government organizations using the Fortinet zero-day CVE-2022-41328 to deploy custom backdoors.

The group's latest operation on Juniper Networks' Junos OS routers demonstrates a deep knowledge of system internals. UNC3886 prioritizes stealth by using passive backdoors and tampering with logs and forensic artifacts to ensure long-term persistence while evading detection.

Mandiant observed UNC3886 using compromised credentials to access Junos OS CLI from terminal servers managing network devices, escalating to FreeBSD shell mode. The threat actor had to bypass the Verified Exec (veriexec) subsystem, adapted from NetBSD Veriexec, which prevents unauthorized code execution, including binaries, libraries, and scripts.

UNC3886 bypassed this security mechanism by injecting malicious code into trusted processes. This allowed them to install six TinyShell-based backdoors named appid, to, irad, jdosd, oemd, and lmpad. Each backdoor was designed for remote access, persistence, and stealth, enabling attackers to evade detection and maintain long-term control.

“Veriexec protection prevents unauthorized binaries from executing. This poses a challenge for threat actors, as disabling veriexec can trigger alerts. However, execution of untrusted code is still possible if it occurs within the context of a trusted process,” reads the report published by Mandiant.

The Backdoors: A Detailed Analysis

Below are the descriptions of the backdoors provided by Mandiant:

  • appid: This backdoor was designed for remote access and persistence. It allowed attackers to maintain long-term control over the compromised device.
  • to: Similar to appid, this backdoor enabled remote access and persistence.
  • irad: This backdoor was used for stealth purposes, allowing attackers to evade detection.
  • jdosd: Another stealth-based backdoor, jdosd was designed to maintain the attacker's presence on the compromised device.
  • oemd: This backdoor enabled remote access and persistence, similar to appid and to.
  • lmpad: The final backdoor in the series, lmpad was used for stealth purposes, allowing attackers to evade detection.

Mandiant also provided Indicators of Compromise (IoCs) and Yara rules to detect these backdoors. This report serves as a warning to network administrators and security experts to be vigilant against this sophisticated China-linked APT group.