Juniper Networks enterprise routers targeted with magic backdoor

Threat actors have been observed targeting enterprise-grade Juniper Networks routers with a custom backdoor called J-magic.

J-magic is a variant of the publicly available cd00r backdoor. Researchers aren’t quite sure how exactly the backdoor is being installed on Juniper Networks routers. However, once installed, it continuously monitors for a ‘magic packet’ sent by the threat actors in TCP traffic. When this packet is received, J-magic establishes a reverse SSH shell to the IP address and port specified in the magic packet, allowing the threat actors to steal files and deploy additional payloads.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

J-magic is unique as it’s designed to be deployed on devices that specifically run JunoOS, the proprietary operating system used by Juniper Networks devices.

The J-magic backdoor campaign is believed to have begun in September 2023, targeting companies in the semiconductor, energy, manufacturing, and information technology (IT) sectors based in multiple countries.

Source: The Hacker News

Analysis

The threat actors are likely deploying J-magic through a previously unpatched vulnerability affecting Juniper routers, or a zero-day vulnerability they can exploit for this purpose. Regardless, the threat actors appear to have both an interest in, and the capability of, exploiting Juniper routers, hence the design of a backdoor specific to the operating system, JunoOS, these routers run.

This isn’t the first time Juniper Networks routers have been targeted by threat actors. In 2023, threat actors were observed leveraging weaknesses in JunoOS to install the Chrysalis backdoor capable of stealing credentials and intercepting traffic.

The increased targeting of routers and other edge devices by threat actors poses a significant cybersecurity risk, as these devices often serve as the first line of defense in a network. Compromising routers can provide attackers with persistent access to a network, enabling them to monitor traffic, exfiltrate sensitive data, or serve as a launchpad for further attacks.

Mitigation

Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for threats to devices like Juniper Networks routers. Field Effect MDR users are automatically notified if threat-related activity is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect encourages organizations to prioritize regular firmware updates, strong authentication measures, and robust monitoring of their edge devices, such as routers, switches, firewalls, etc., to ensure the risks associated with threats to these types of devices are fully mitigated.

Related Articles

• Juniper Networks addressed vulnerabilities in multiple products
• Juniper Networks squashes bugs in its firewalls, switches, and operating systems