Somebody has been quietly backdooring chosen Juniper routers world wide in key sectors together with semiconductor, power, and manufacturing, since a minimum of mid-2023.
The units have been contaminated with what seems to be a variant of cd00r, a publicly obtainable “invisible backdoor” designed to function stealthily on a sufferer’s machine by monitoring community site visitors for particular circumstances earlier than activating.
It is not but publicly recognized how the snoops gained ample entry to sure organizations’ Junos OS gear to plant the backdoor, which supplies them distant management over the networking gear. What we do know is that about half of the units have been configured as VPN gateways.
As soon as injected, the backdoor, dubbed J-magic by Black Lotus Labs this week, resides in reminiscence solely and passively waits for considered one of 5 doable community packets to reach. When a kind of magic packet sequences is acquired by the machine, a connection is established with the sender, and a followup problem is initiated by the backdoor. If the sender passes the check, they get command-line entry to the field to commandeer it.
As Black Lotus Labs defined on this analysis notice on Thursday: “As soon as that problem is full, J-Magic establishes a reverse shell on the native file system, permitting the operators to manage the gadget, steal knowledge, or deploy malicious software program.”
Whereas it is not the first-ever found magic packet [PDF] malware, the group wrote, “the mixture of focusing on Junos OS routers that function a VPN gateway and deploying a passive listening in-memory-only agent, makes this an fascinating confluence of tradecraft worthy of additional remark.”
Juniper didn’t reply to The Register’s inquiries.
Black Lotus Labs mentioned it noticed J-Magic on VirusTotal, and the researchers mentioned the earliest pattern had been uploaded in September 2023.
The malware creates an eBPF filter to observe site visitors to a specified community interface and port, and waits till it receives any of 5 particularly crafted packets from the surface world. If considered one of these magic packets – described within the lab’s report – reveals up, the backdoor connects to whoever despatched the magic packet utilizing SSL; sends a random, five-character-long alphanumeric string encrypted utilizing a hardcoded public RSA key to the sender; and if the sender can decrypt the string utilizing the non-public half of the important thing pair and ship it again to the backdoor to confirm, the malware will begin accepting instructions by way of the connection to run on the field.
“We suspect that the developer has added this RSA problem to forestall different risk actors from spraying the web with magic packets to enumerate victims after which merely repurposing the J-Magic brokers for their very own functions, as different nation-state actors are recognized for exhibiting that parasitic tradecraft equivalent to Turla,” the lab’s risk hunters wrote.
Assuming the attacker efficiently completes the problem, they’ve full entry to the router, leaving the sufferer group susceptible to additional compromise.
These victims span the globe, with the researchers documenting firms within the US, UK, Norway, the Netherlands, Russia, Armenia, Brazil, and Colombia. They included a fiber optics agency, a photo voltaic panel maker, manufacturing firms together with two that construct or lease heavy equipment, and one which makes boats and ferries, plus power, expertise, and semiconductor corporations.
Whereas many of the focused units have been Juniper routers appearing as VPN gateways, a extra restricted set of focused IP addresses had an uncovered NETCONF port, which is often used to assist automate router configuration info and administration.
This means the routers are half of a bigger, managed fleet equivalent to these in a community service supplier, the researchers notice.
“We suspect these units have been focused for his or her central position within the routing ecosystem,” they added. “As routers which might be configured with community filters, settings, insurance policies, monitoring, and controls, they’re precious as targets for attackers who might need to pivot or persist inside an ecosystem.”
Black Lotus Labs additionally revealed a full record of indicators of compromise, so we would recommend giving these a learn on the safety store’s GitHub web page. ®
