@www.helpnetsecurity.com - 37d
A sophisticated cyberattack campaign, dubbed "J-Magic," has been targeting enterprise-grade Juniper routers since mid-2023, with activity observed until at least mid-2024. This stealthy operation uses custom-crafted "magic packets" to trigger a variant of the cd00r backdoor. Once activated, the malware establishes a reverse shell, granting attackers full access to the compromised devices. This allows for data exfiltration, device control, and the deployment of further malicious payloads. The malware operates by passively monitoring network traffic for specific TCP packets, designed to trigger the backdoor. This technique enables the threat actors to gain a strong foothold in enterprise networks by using routers that often serve as VPN gateways.
The "J-Magic" malware primarily focuses on routers within the semiconductor, energy, manufacturing, and IT sectors, particularly in Europe and South America. The malware is installed into the device's memory which scans for five network signals, and when it receives these, it triggers a reverse shell creation on the local file system. This allows for complete device takeover. The malware uses a unique RSA-based challenge-response mechanism to prevent unauthorized access, and while it shares some similarities with the "SeaSpy" malware family, the challenge implementation signifies a step up in operational security. The campaign appears to be targeting Junos OS, commonly used in enterprise-grade networking equipment and it has been noted that many of the compromised routers were acting as VPN gateways, which allows for lateral movement within the network.
References :
- www.scworld.com: Malware campaign targeting enterprise Juniper routers.
- blog.lumen.com: Black Lotus Labs : The Black Lotus Labs team reports on a backdoor attack tailored for use against enterprise-grade Juniper routers in a campaign dubbed "J-magic". This backdoor is opened by a passive agent that continuously monitors for a "magic packet," sent by the attacker in TCP traffic.
- cyberpress.org: Juniper Routers Magic Packet Vulnerability Exploited to Deliver Custom Backdoor
- www.bleepingcomputer.com: A malicious campaign has been specifically targeting Juniper edge devices, many acting as VPN gateways, with malware dubbed J-magic that starts a reverse shell only if it detects a "magic packet" in the network traffic.
- www.helpnetsecurity.com: A stealthy attack campaign turned Juniper enterprise-grade routers into entry points to corporate networks via the “J-magic� backdoor, which is loaded into the devices’ memory and spawns a reverse shell when instructed to do so.
- gbhackers.com: Juniper routers exploited via Magic Packet vulnerability to deploy custom backdoor
- : Black Lotus Labs : The Black Lotus Labs team reports on a backdoor attack tailored for use against enterprise-grade Juniper routers in a campaign dubbed 'J-magic'.
- Cyber Security News: Juniper Routers Magic Packet Vulnerability Exploited to Deliver Custom Backdoor
- gbhackers.com: Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor
- ciso2ciso.com: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet – Source: go.theregister.com
- The Register: Unknown attackers have been secretly inserting backdoors into Juniper routers in key sectors since mid-2023, potentially compromising a large number of critical devices.
- : Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet – Source: go.theregister.com
- ciso2ciso.com: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet – Source: go.theregister.com
- Ars Technica: Backdoor infecting VPNs used “magic packets� for stealth and security J-Magic backdoor infected organizations in a wide array of industries.
- Ars OpenForum: Backdoor infecting VPNs used “magic packets� for stealth and security
- ciso2ciso.com: J-Magic malware campaign targets Juniper routers, using a passive agent to monitor network traffic for predefined "magic packets" to exploit.
- : J-magic malware campaign targets Juniper routers
- go.theregister.com: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet Who could be so interested in chips, manufacturing, and more, in the US, UK, Europe, Russia... Someone has been quietly backdooring selected Juniper routers around the world in key sectors including semiconductor, energy, and manufacturing, since at least mid-2023.…
- AAKL: Additional information about the Juniper router attack.
- : J-magic malware campaign targets Juniper routers – Source: securityaffairs.com
- The Hacker News: Custom Backdoor Exploiting Magic Packet Vulnerability in Juniper Routers
- Help Net Security: Juniper enterprise routers backdoored via "magic packet" malware
- securityaffairs.com: Threat actors are targeting Juniper routers with a custom backdoor in a campaign called "J-magic." Attackers exploit a "Magic Packet" flaw to deliver the malware.
- Threats | CyberScoop: Researchers at Black Lotus Labs have uncovered an operation where a back door is dropped onto enterprise-grade Juniper Networks routers and listens for specific network signals, known as “magic packets,� to execute malicious commands.
- BleepingComputer: A malicious campaign has been specifically targeting Juniper edge devices, many acting as VPN gateways, with malware dubbed J-magic that starts a reverse shell only if it detects a "magic packet" in the network traffic.
- aboutdfir.com: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet
- The Register - Security: Initial report on the backdoor campaign
- aboutdfir.com: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet Someone has been quietly backdooring selected Juniper routers around the world in key sectors including semiconductor, energy, and manufacturing, since at least mid-2023. The devices were infected with what appears to be a variant of cd00r, a publicly available […] The post appeared first on .
Classification:
- HashTags: #Juniper #Backdoor #MagicPacket
- Company: Juniper
- Target: Juniper Routers
- Product: Juniper Routers
- Feature: Backdoor
- Malware: J-Magic
- Type: Malware
- Severity: Major
@supportportal.juniper.net - 73d
Juniper Networks has issued a warning that their Session Smart Routers (SSR) are being targeted by the Mirai botnet. This malicious software is exploiting devices that still use default passwords, leading to infections and the routers being used as part of a distributed denial-of-service (DDoS) attacks. The company is urging all SSR users to change their default passwords immediately, following reports of anomalous activity since December 11, 2024.
The Mirai botnet is known for scanning networks for vulnerabilities and default credentials to gain access to devices. Once infected, these devices can be used to launch attacks against other systems. Juniper advises users to not only update passwords but also to audit access logs for suspicious activity, implement firewalls to block unauthorized access, and keep their software updated. If a system is infected, Juniper recommends reimaging the system entirely because changes made by the malware are hard to detect.
References :
- : Juniper : Juniper warns that customers with Juniper Session Smart Routers (SSR) are getting infected with Mirai DDoS botnet malware because they didn't change from the default password. 🤦♂️
- supportportal.juniper.net: Juniper : Juniper warns that customers with Juniper Session Smart Routers (SSR) are getting infected with Mirai DDoS botnet malware because they didn't change from the default password. 🤦♂️
- OODAloop: Juniper Networks is warning of a Mirai botnet which is targeting their session smart routers (SSR). Routers using default passwords are being targeted in the botnet infection campaign.
- securityaffairs.com: Juniper Networks warns that a Mirai botnet is targeting Session Smart Router (SSR) products with default passwords.
- The Hacker News: Juniper Networks is warning that Session Smart Router (SSR) products with default passwords are being targeted as part of a malicious campaign that deploys the Mirai botnet malware.
- BleepingComputer: Juniper Networks has warned customers of Mirai malware attacks targeting and infecting Session Smart routers using default credentials.
- www.bleepingcomputer.com: Juniper Networks has warned customers of Mirai malware attacks targeting and infecting Session Smart routers using default credentials.
- AAKL: This is a couple of days-old. Juniper: Session Smart Router: Mirai malware found on systems when the default password remains unchanged ? More: Juniper Warns of Mirai Botnet Targeting SSR Devices with Default Passwords
- social.tchncs.de: Juniper: Session Smart Router: Mirai malware found on systems when the default password remains unchanged
- malware.news: Mirai botnet actively targeting vulnerable Juniper routers
- www.scworld.com: Mirai botnet actively targeting vulnerable Juniper routers
- Security Risk Advisors: The Hacker News article about Juniper routers being exploited by Mirai Botnet
- Latest from TechRadar: TechRadar article about Mirai botnet targeting Juniper routers
Classification:
@www.bleepingcomputer.com - 10d
A new JavaScript obfuscation technique has been discovered and is being actively used in phishing attacks. Juniper Threat Labs identified the technique targeting affiliates of a major American political action committee (PAC) in early January 2025. The method leverages invisible Unicode characters to represent binary values, effectively concealing malicious JavaScript code within seemingly harmless text.
This obfuscation technique was first demonstrated in October 2024, highlighting the speed with which such research can be weaponized in real-world attacks. The encoding uses two different Unicode filler characters, the Hangul half-width and Hangul full width, to represent the binary values 0 and 1. This allows attackers to hide entire payloads invisibly within a script, which is then executed through a Proxy get() trap. Security researchers have posted methods to decode this encoded JavaScript into readable form.
References :
- blogs.juniper.net: Invisible obfuscation technique used in PAC attack
- bsky.app: A new JavaScript obfuscation method utilizing invisible Unicode characters to represent binary values is being actively abused in phishing attacks targeting affiliates of an American political action committee (PAC).
- BleepingComputer: A new JavaScript obfuscation method utilizing invisible Unicode characters to represent binary values is being actively abused in phishing attacks targeting affiliates of an American political action committee (PAC).
- Anonymous ???????? :af:: A new JavaScript obfuscation method utilizing invisible Unicode characters to represent binary values is being actively abused in phishing attacks targeting affiliates of an American political action committee (PAC).
- www.bleepingcomputer.com: A new JavaScript obfuscation method utilizing invisible Unicode characters to represent binary values is being actively abused in phishing attacks targeting affiliates of an American political action committee (PAC).
- Christoffer S.: Juniper Networks: Invisible obfuscation technique used in PAC attack Novel obfuscation technique observed in a phishing attack targeting affiliates of a political action committee (PAC) in January 2025.
Classification:
- HashTags: #JavaScript #PhishingAttack #JuniperThreatLabs
- Company: Juniper
- Target: American Political Action Committee
- Product: Microsoft Teams
- Feature: JavaScript obfuscation
- Type: Hack
- Severity: Major
|
|
FlagThis - #juniper
