A Chinese-linked hacking group has been identified as the culprit behind a malware incident at Juniper Networks. According to Mandiant, the attackers distributed customized malicious code exploiting Juniper routers, expanding their attack surface from edge devices to internal infrastructure.

Mandiant, the American cybersecurity firm and Google subsidiary, released its investigation findings on the Juniper Networks malware incident on the 14th. The company discovered a custom backdoor operating on Juniper’s Junos operating system last year and attributed the attack to ‘UNC3886’, a hacking group with Chinese connections.

Advanced Attack Techniques and Targets

UNC3886 employs sophisticated attack techniques, targeting network devices and virtualization technologies through zero-day exploits. Their primary targets include defense, telecommunications, and technology companies in the United States and across Asia.

Through a joint investigation with Juniper, Mandiant determined that hackers conducted their attacks through end-of-life (EOL) Juniper MX router hardware and software. The group previously attacked virtualization technologies and edge devices with customized malware in 2022 and 2023.

“The custom malware used by UNC3886 demonstrates their deep knowledge of internal system architecture,” researchers noted. During their investigation, Mandiant discovered six malware variants installed on numerous end-of-life Juniper MX routers. Each variant is a modified version of the TinyShell backdoor, incorporating various custom features including embedded scripts designed to block security monitoring systems.

UNC3886 employed a new attack technique called ‘Process Injection‘ to bypass Veriexec by injecting malicious code into legitimate process memory. This technique was specifically used to execute a position-independent code (PIC) version of the lmpad backdoor, though it doesn’t support the execution of other backdoors.

“UNC3886 previously focused on attacking network edge devices,” Mandiant stated. “This attack suggests they’re expanding their targets to include internal networking infrastructure such as Internet Service Provider (ISP) routers.”

The company emphasized that “this attack serves as a reminder of the importance of updating network devices” and recommended “applying the latest security patches to network devices and following Juniper’s customer advisories.”

Share this post

Author

Editorial Team
Editorial Team
The Editorial Team at Security Land is comprised of experienced professionals dedicated to delivering insightful analysis, breaking news, and expert perspectives on the ever-evolving threat landscape

Comments