Cybersecurity researchers at Google’s Mandiant have exposed a series of attacks which took place in mid-2024 targeting Juniper routers running the Junos OS operating system. These attacks, linked to a Chinese hacking group known as UNC3886, involved planting custom-built malware designed to secretly control the devices while evading detection.
What Happened?
Mandiant’s investigation revealed that UNC3886 deployed backdoors disguised as legitimate system processes on Juniper MX routers running outdated hardware and software. These routers, using end-of-life (EOL) configurations, were easier targets due to vulnerabilities in their security systems. The malware leveraged Junos OS’s Veriexec, a file integrity monitor, to avoid detection. Instead of disabling Veriexec, the attackers injected malicious code into legitimate processes
According to the company’s blog post shared with Hackread.com ahead of publishing on Wednesday, these backdoors were built on the foundation of a publicly available hacking tool called TINYSHELL.
What makes these attacks particularly alarming is how the hackers customized their malware to integrate into the Juniper environment. The malicious programs were disguised as legitimate system processes, mimicking names like “appid” (a play on a real Juniper process) to avoid raising suspicion. Beyond stealth, the malware included features to disable logging on the routers, effectively erasing traces of the attackers’ activities and making it harder for security teams to spot the intrusion.
To carry out their attacks, the hackers exploited the inner workings of Junos OS, the operating system powering Juniper’s routers and other networking gear. Junos OS is built on a modified version of FreeBSD, a Unix-like system, and offers two ways to interact with it: a command-line interface (CLI) for standard operations and a shell mode that provides deeper access to the underlying system. The attackers used this shell mode to execute their malicious commands.
How Did the Hackers Make This Happen?
The attackers gained access by using stolen credentials to infiltrate router management interfaces. Once inside, they injected malware into legitimate processes, such as the cat command, leveraging named pipes and memory manipulation to evade detection.
To cover their tracks, some backdoors disabled logging functions, effectively erasing evidence of their presence. For instance, the lmpad backdoor altered system logs and disabled SNMP alerts, making it significantly harder for defenders to spot unauthorized access.
The Malware Toolkit
UNC3886 deployed six customized backdoors, all derived from the open-source TINYSHELL framework but specifically adapted for Junos OS. Each variant had unique functionalities:
- appid and to: These were active backdoors with hardcoded command-and-control (C2) servers, allowing attackers to upload/download files, execute shell commands, and route traffic through proxies.
- irad: A passive backdoor that remained dormant until triggered by specific “magic strings” in network traffic. Once activated, it could launch remote shells or relay connections.
- lmpad: This hybrid backdoor acted as both a backdoor and a stealth tool. It disabled logging, modified system files, and patched memory to prevent audit logs from recording malicious activity.
- jdosd and oemd: These passive backdoors used encrypted UDP/TCP channels for covert file transfers and remote command execution, making detection even more challenging.
About UNC3886
UNC3886 is a well-known hacking group with a track record of targeting network devices and virtualization technologies, often using previously unknown vulnerabilities (known as zero-day exploits). The group’s main focus is on espionage against industries like defence, technology, and telecommunications, particularly in the US and Asia.
While other Chinese hacking campaigns, such as those attributed to groups like Volt Typhoon or Salt Typhoon, have made headlines, Mandiant found no direct technical connections between UNC3886’s activities and those operations. This suggests that UNC3886 is a distinct threat, operating with its own tools and strategies.
Why Does This Matter?
Routers and other network devices are the backbone of modern IT infrastructure, directing traffic and connecting systems across organizations. But unlike laptops or servers, these devices often lack proper security monitoring tools, making them attractive targets for attackers. Once compromised, a router can provide a gateway to an entire network, allowing hackers to spy on communications, steal data, or launch further attacks.
The fact that UNC3886 targeted older, unsupported Juniper devices highlights another issue such as how many organizations continue to rely on outdated equipment, either due to budget restrictions or oversight. These systems are sitting ducks for skilled attackers, as they no longer receive patches for newly discovered vulnerabilities.
What Should Organizations Do?
Mandiant and Juniper Networks have worked together to address the issue, and they’ve outlined steps organizations can take to protect themselves:
- Upgrade Devices: Replace end-of-life Juniper hardware and software with supported versions. Juniper has released updated software images that include fixes and improved detection capabilities.
- Run Security Scans: Use Juniper’s Malware Removal Tool (JMRT) to perform a Quick Scan and Integrity Check on your devices after upgrading. This can help identify and remove any malicious programs.
- Monitor and Harden Networks: Strengthen security around network devices by limiting access, using strong authentication, and regularly reviewing logs for unusual activity, even though attackers may try to disable logging.
- Stay Informed: Keep up with security advisories from vendors like Juniper and reports from cybersecurity firms like Mandiant to stay ahead of emerging threats.
