Chinese cyberespionage group deploys custom backdoors on Juniper routers – Source: www.csoonline.com

A Chinese cyberespionage group with a history of exploiting proprietary network-edge devices and developing custom malware for them has also been targeting enterprise and ISP-grade Juniper MX Series routers, according to a report by Google’s Mandiant team.

The attackers were able to bypass the file integrity protections of Junos OS, the FreeBSD-based operating system used on Juniper Networks’ routers, to deploy custom backdoors. This activity, attributed to an advanced persistent threat (APT) group that Mandiant team tracks as UNC3886, dates back to at least the middle of 2024 and seems to have affected Juniper MX routers that were running end-of-life hardware and software versions.

The use of end-of-life networking hardware, while definitely not recommended, is not unusual on internal networks, considering budget constraints and the significant costs associated with replacing such devices.

“While UNC3886 previously focused their operations on network edge devices, this activity demonstrated they’re also targeting internal networking infrastructure, such as Internet Service Provider (ISP) routers,” the Mandiant researchers said in their report.

“Mandiant observed the threat actor targeting network authentication services, including the Terminal Access Controller Access-Control System (TACACS+), and terminal servers with access to the routers to gain privileged initial access.”

Attackers were well-versed in Juno OS features

Malware implants deployed on the analyzed devices were variants of the publicly available TINYSHELL backdoor, but with added functionality and customizations that show the attackers had an in-depth knowledge of Junos OS features and internal operations.

UNC3886 has displayed such product-specific knowledge before, having previously created custom malware for VMware ESXi hypervisors and network-edge devices from Fortinet and Ivanti. While UNC3886 is tracked as a stand-alone group, some tooling overlap with other Chinese state-sponsored groups such as APT41 was observed in the past — although tool and infrastructure sharing is a long-standing hallmark of Chinese cyberespionage.

“Mandiant recommends that organizations upgrade their Juniper devices to the latest images released by Juniper Networks, which includes mitigations and updated signatures for the Juniper Malware Removal Tool (JMRT),” researchers said. “Organizations should run the JMRT Quick Scan and Integrity Check after the upgrade.”

File integrity protections were bypassed

Attackers’ initial access to the Juniper MX routers analyzed by Mandiant seems to have been achieved with legitimate credentials. While UNC3886 has developed and used zero-day exploits to compromise network-edge devices in the past, the group actively performs credential collection on compromised networks for lateral movement to support its goal of long-term persistent access.

Junos OS provides administrators with a custom command-line interface (CLI) that allows issuing Junos specific commands, but also the ability to switch to the underlying FreeBSD shell and use the general FreeBSD command-line tools and programs.

The OS also implements a modified variant of the NetBSD Verified Exec (veriexec), a kernel-based file integrity verification subsystem whose goal is to protect against the execution of unauthorized binaries. As such, deploying and running any malware implant requires a bypass of this feature or disabling it entirely, which could raise alerts.

UNC3886 developed a complex process injection technique in order to bypass variexec by creating a hung process using the built-in and legitimate cat utility, writing a malicious shellcode loader to specific memory locations assigned to the cat process and then tricking the process to execute that code. Since the malicious code execution happened through a trusted process, variexec was bypassed.

Highly customized TINYSHELL variants were used

The shellcode loader was then used to execute a position independent code (PIC) variant of TINYSHELL stored in a file called lmpad, which mimicks the name of the legitimate lmpd (link management protocol daemon) process.

In addition to the standard TINYSHELL capabilities — remote file upload, remote file download and remote shell session — the lmpad variant can hook into two legitimate Junos OS processes to disable logging before a remote operator connects to the backdoor.

“The main purpose of this malware is to disable all possible logging before the operator connects to the router to perform hands-on activities and then later restore the logs after the operator disconnects,” the researchers said.

The backdoor contains five custom commands. In addition to the default TINYSHELL functionality, these allow the disabling and restoring of logging functions, the encryption of the interactive shell session traffic over UDP, the backup and restore of the Juniper router configuration database and updating the communication socket timeout value.

But lmpad is just one of six different TINYSHELL variants that UNC3886 deployed on various compromised routers. Each of these had significantly different customizations and Junos-related capabilities added to them.

The attacks employed operational relay box networks

Another variant called appid — masquerading as the legitimate appidd (application identification daemon) — is an active backdoor in addition to being a passive one that waits for incoming connections. The backdoor actively tries to establish connection with a list of four hardcoded IP addresses that are part of an ORB network and point to a command-and-control (C2) server.

Operational relay box (ORB) networks are essentially botnets of compromised devices and virtual private servers that are used to proxy malicious traffic. They have become a commonly used asset by Chinese cyberespionage groups in recent year and their goal is to complicate attribution.

Another instance of this TINYSHELL variant with different hardcoded C2 IP addresses was observed with the file name “to”, which likely mimics the legitimate binary called top (table of processes).

A fourth variant, using the name irad, implements a libpcap-based packet sniffer to monitor traffic over all network interfaces and wait for a magic packet in an ICMP ECHO request to activate its active backdoor functionality.

The fifth variant, jdosd was likely named after the Juniper DDOS protection daemon (jddosd) process and is a passive backdoor implementation that binds to UDP port 33512 and uses a custom RC4 implementation to encrypt traffic.

Finally, sample six, called oemd after the legitimate operation, administration, and maintenance daemon (oamd), communicated with the C2 server over TCP instead of UDP and the traffic is encrypted with AES. Its configuration is stored in environment variables.

All the samples use a custom AF_ROUTE socket to communicate with the OS routing subsystem. This socket uses custom messages and is specific to Junos OS. Running the samples on a standard FreeBSD installation would result in an invalid socket error, making it clear that these samples were created specifically for Junos OS and the attackers have spent time understanding the OS networking internals.

“The compromise of routing devices is a recent trend in the tactics of espionage-motivated adversaries as it grants the capability for a long-term, high-level access to the crucial routing infrastructure, with a potential for more disruptive actions in the future,” the Mandiant researchers warned. “A concerted effort is required to safeguard these critical systems and ensure the continued stability and security of the internet.”

How to mitigate attacks on Juniper routers

Another reason why attackers are going after such devices is because they generally lack advanced security monitoring and detection capabilities, such as the ability to deploy endpoint detection and response (EDR) agents on them. The Google Threat Intelligence and Mandiant team make the following recommendations in order to better protect such devices:

• Organizations should upgrade their Juniper devices to the latest images which contain mitigations and updated signatures for JMRT and run JMRT Quick Scan and Integrity check after the upgrade.
• Implement a centralized identity and access management (IAM) system with robust multifactor authentication (MFA) and granular role-based access control (RBAC) for managing network devices.
• Implement a network configuration management that supports configuration validation against defined templates and standards, with the ability to automatically remediate deviations or trigger alerts for manual intervention.
• Address and prioritize high-risks administrative activities and implement monitoring solutions with a process to regularly review the effectiveness of detection.
• Prioritize patching and mitigation of vulnerabilities in network devices, including those in lesser-known operating systems.
• Implement a device lifecycle management program that includes proactive monitoring, automated software updates, and end-of-life (EOL) replacement planning to ensure network devices are always supported and secure.
• Strengthen the security posture of network devices, administrative devices and systems used for managing network devices by implementing strict access controls, network segmentation, and other security measures.
• Proactively leverage threat intelligence to continually evaluate and improve the effectiveness of security controls against emerging threats.