Enterprise-grade Juniper Networks routers have develop into the goal of a customized backdoor as a part of a marketing campaign dubbed J-magic.
In accordance with the Black Lotus Labs workforce at Lumen Applied sciences, the exercise is so named for the truth that the backdoor constantly screens for a “magic packet” despatched by the menace actor in TCP site visitors.
“J-magic marketing campaign marks the uncommon event of malware designed particularly for Junos OS, which serves the same market however depends on a distinct working system, a variant of FreeBSD,” the corporate mentioned in a report shared with The Hacker Information.
Proof gathered by the corporate reveals that the earliest pattern of the backdoor dates again to September 2023, with the exercise ongoing between mid-2023 and mid-2024. Semiconductor, power, manufacturing, and data know-how (IT) sectors have been probably the most focused.
Infections have been reported throughout Europe, Asia, and South America, together with Argentine, Armenia, Brazil, Chile, Colombia, Indonesia, the Netherlands, Norway, Peru, the U.Ok., the U.S., and Venezuela.
The marketing campaign is notable for deploying an agent after gaining preliminary entry by way of an as-yet-undetermined methodology. The agent, a variant of a virtually 25-year-old, publicly out there backdoor known as cd00r, waits for 5 totally different pre-defined parameters earlier than commencing its operations.
On the receipt of those magic packets, the agent is configured to ship again a secondary problem, following which J-magic establishes a reverse shell to the IP tackle and port specified within the magic packet. This permits the attackers to regulate the gadget, steal knowledge, or deploy extra payloads.
Lumen theorized that the inclusion of the problem is an try on a part of the adversary to forestall different menace actors from issuing magic packets in an indiscriminate method and repurpose the J-magic brokers to meet their very own targets.
It is value noting that one other variant of cd00r, codenamed SEASPY, was deployed in reference to a marketing campaign aimed toward Barracuda E mail Safety Gateway (ESG) home equipment in late 2022.
That mentioned, there isn’t any proof at this stage to attach the 2 campaigns, nor does the J-magic marketing campaign show any indicators that it overlaps with different campaigns focusing on enterprise-grade routers resembling Jaguar Tooth and BlackTech (aka Canary Hurricane).
A majority of the possibly impacted IP addresses are mentioned to be Juniper routers appearing as VPN gateways, with a second smaller cluster comprising these with an uncovered NETCONF port. It is believed that the community configuration units could have been focused for his or her means to automate router configuration info and administration.
With routers being abused by nation-state actors making ready for follow-on assaults, the newest findings underscore the continued focusing on of edge infrastructure, largely pushed by the lengthy uptime and a scarcity of endpoint detection and response (EDR) protections in such units.
“One of the vital notable points of the marketing campaign is the give attention to Juniper routers,” Lumen mentioned. “Whereas now we have seen heavy focusing on of different networking gear, this marketing campaign demonstrates that attackers can discover success increasing to different gadget sorts resembling enterprise grade routers.”
