- Mandiant researchers have seen a new hacking campaign targeting Juniper Networks routers
- They allocated it to a Chinese actor, targeting telecommunications operators, defense and technology companies
- Users are invited to upgrade and scan their devices
Chinese pirates are targeting juniper network routers with different modifications from malware to stolen door, with the aim of accessing defense, technology and telecommunications organizations in the United States and Asia.
Google Mandiant’s cybersecurity team wrote an in -depth analysis of the group earlier during the day. According to the report, the researchers first spotted a malicious activity in mid-2010 and attributed it to the China -xus Espionage UNC3886 group.
Techradar Pro reported on this threat actor many times in the past, when they have been observed targeting VMware, Ivanti VPN and other products, with wandering and malicious software.
Six malicious software samples
Mandiant says that the attackers infiltrated the devices supplied by the Junos operating system by bypassing Veriexec, (verified Exec), the file integrity subsystem based on the device of the device which protects the operating system of unauthorized code binaries such as libraries and scripts.
“The execution of an unreliable code is always possible if it occurs in the context of a confidence process,” said the researchers. “Mandiant’s investigation revealed that the UNC3886 was able to bypass this protection by injecting a malicious code in the memory of a legitimate process.”
UNC3886 targeted its victims with six distinct malware samples, which are all a variant of the Tinyshell stolen door with unique capacities. Although everyone has the same central stolen door functionality, they differ in terms of activation methods and different characteristics specific to the operating system.
Mandiant says that attackers “continue to show an in-depth understanding of the underlying technology” of targeted devices and that users recommended to modernize their juniper devices to the last images. These include attenuations and updated signatures for the Malventy Juniper (JMRT) software, which must be activated after upgrading to scan the integrity of the termination points.
“At the time of the editorial staff, Mandiant did not identify any technical overlap between the activities detailed in this blog post and those publicly reported by other parts like Volt Typhoon or Salt Typhoon,” added Mandiant, suggesting that the Salphon of Salt, the Typhoon Volt and UNC3886, are separate entities (but which may work under the same umbrella).
