@www.yahoo.com
//
The China-linked Salt Typhoon hacking group successfully launched a cyber espionage campaign targeting major telecommunications companies AT&T and Verizon. The attackers aimed to gather foreign intelligence, although both companies have stated that their networks are now secure. This incident highlights the ongoing threat of state-sponsored cyber espionage targeting critical infrastructure and telecommunications providers. The initial breach was achieved by exploiting vulnerabilities in network infrastructure, and although the networks are now secure, it emphasizes the need for continuous monitoring and robust security measures to detect and mitigate these threats.
Recommended read:
References :
- Threats | CyberScoop: White House: Salt Typhoon hacks possible because telecoms lacked basic security measures
- Fortune | FORTUNE: Chinese spies infiltrated yet another U.S. telecom and accessed private conversations, White House says
- BleepingComputer: A White House official has added a ninth U.S. telecommunications company to the list of telecoms breached in a Chinese hacking campaign that impacted dozens of countries.
- Techmeme: The US says it has identified a ninth telecom company impacted by the Salt Typhoon hacks, and the number of individuals directly impacted is "less than 100"
- www.bleepingcomputer.com: A White House official has added a ninth U.S. telecommunications company to the list of telecoms breached in a Chinese hacking campaign that impacted dozens of countries.
- Techmeme: The US says it has identified a ninth telecom company impacted by the Salt Typhoon hacks, and the number of individuals directly impacted is "less than 100"
- Pyrzout :vm:: A 9th Telecoms Firm Has Been Hit by a Massive Chinese Espionage Campaign, the White House Says -State
- www.techmeme.com: AT&T and Verizon say their networks are now clear after the Salt Typhoon intrusion; AT&T says a few "individuals of foreign intelligence interest" were targeted (Kelcee Griffis/Bloomberg)
- Techmeme: AT&T and Verizon say their networks are now clear after the Salt Typhoon intrusion; AT&T says a few "individuals of foreign intelligence interest" were targeted (Kelcee Griffis/Bloomberg)
- Bloomberg Technology: AT&T and Verizon say their networks are now clear after the Salt Typhoon intrusion; AT&T says a few "individuals of foreign intelligence interest" were targeted (Kelcee Griffis/Bloomberg)
- gbhackers.com: AT&T and Verizon Hacked – Salt Typhoon Compromised The Network For High Profiles
- www.yahoo.com: Chinese Salt Typhoon cyberespionage targets AT&T, Verizon but networks secure, carriers say
- securityaffairs.com: China-linked APT Salt Typhoon breached a ninth U.S. telecommunications firm
- gbhackers.com: AT&T and Verizon Hacked – Salt Typhoon Compromised The Network For High Profiles
- BleepingComputer: AT&T and Verizon confirmed they were breached in a massive Chinese espionage campaign targeting telecom carriers worldwide but said the hackers have now been evicted from their networks.
- techcrunch.com: TechCrunch article on AT&T and Verizon saying networks are secure after being breached by China-linked Salt Typhoon hackers.
- cyberinsider.com: AT&T and Verizon Declare Networks Secure After Salt Typhoon Attacks
- techcrunch.com: Verizon says it has secured its network after breach by China-linked Salt Typhoon group
- www.bleepingcomputer.com: AT&T and Verizon confirmed they were breached in a massive Chinese espionage campaign targeting telecom carriers worldwide but said the hackers have now been evicted from their networks.
- Zack Whittaker: New by : U.S. phone giants AT&T and Verizon say their networks are free from the Salt Typhoon hackers. Both networks said a few customers had their communications compromised during the hacking campaign.
- systemweakness.com: What we learned from salt typhoon telecoms operation
- Cord Cutters News: AT&T & Verizon Confirm Security Breach, But Assure Customers That The Networks Are Now Secure
- CyberInsider: CyberInsider article on AT&T and Verizon declaring networks secure after Salt Typhoon attacks.
- CNET: CNet article on AT&T and Verizon declaring their networks secure amid Salt Typhoon cyberattack.
- Latest from TechRadar: TechRadar article on AT&T and Verizon saying they're free of Salt Typhoon hacks at last.
- The Register: More telcos confirm Salt Typhoon breaches as White House weighs in The intrusions allowed Beijing to 'geolocate millions of individuals' AT&T, Verizon, and Lumen Technologies confirmed that Chinese government-backed snoops accessed portions of their systems earlier this year, while the White House added another, yet-unnamed telecommunications company to the list of those bre…
- go.theregister.com: More telcos confirm Salt Typhoon breaches as White House weighs in
- Hacker News: More telcos confirm Salt Typhoon breaches as White House weighs in L: C: posted on 2024.12.30 at 20:52:06 (c=0, p=5)
- www.theregister.com: More telcos confirm Salt Typhoon breaches as White House weighs in L: C: posted on 2024.12.30 at 20:52:06 (c=0, p=5)
- malware.news: Another US telco breached by Salt Typhoon as AT&T, Verizon acknowledge compromise
- The Register - Security: More telcos confirm Salt Typhoon breaches as White House weighs in
- Strypey: "This week the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA) and partner agencies in New Zealand, Australia and Canada began advocating for the use of end-to-end encrypted (E2EE) communications. The move is in reaction to law enforcement backdoors in the public telephone network - including AT&T, Verizon and T-Mobile - being hijacked by Salt Typhoon; a cyberattack group believed to be operated by the Chinese government."
- www.scworld.com: Another US telco breached by Salt Typhoon as AT&T, Verizon acknowledge compromise
- ciso2ciso.com: More telcos confirm Salt Typhoon breaches as White House weighs in – Source: go.theregister.com
- techcrunch.com: US telco Lumen says its network is now clear of China’s Salt Typhoon hackers
- ciso2ciso.com: More telcos confirm Salt Typhoon breaches as White House weighs in – Source: go.theregister.com
- Pyrzout :vm:: More telcos confirm Salt Typhoon breaches as White House weighs in – Source: go.theregister.com
@www.helpnetsecurity.com
//
A sophisticated cyberattack campaign, dubbed "J-Magic," has been targeting enterprise-grade Juniper routers since mid-2023, with activity observed until at least mid-2024. This stealthy operation uses custom-crafted "magic packets" to trigger a variant of the cd00r backdoor. Once activated, the malware establishes a reverse shell, granting attackers full access to the compromised devices. This allows for data exfiltration, device control, and the deployment of further malicious payloads. The malware operates by passively monitoring network traffic for specific TCP packets, designed to trigger the backdoor. This technique enables the threat actors to gain a strong foothold in enterprise networks by using routers that often serve as VPN gateways.
The "J-Magic" malware primarily focuses on routers within the semiconductor, energy, manufacturing, and IT sectors, particularly in Europe and South America. The malware is installed into the device's memory which scans for five network signals, and when it receives these, it triggers a reverse shell creation on the local file system. This allows for complete device takeover. The malware uses a unique RSA-based challenge-response mechanism to prevent unauthorized access, and while it shares some similarities with the "SeaSpy" malware family, the challenge implementation signifies a step up in operational security. The campaign appears to be targeting Junos OS, commonly used in enterprise-grade networking equipment and it has been noted that many of the compromised routers were acting as VPN gateways, which allows for lateral movement within the network.
Recommended read:
References :
- www.scworld.com: Malware campaign targeting enterprise Juniper routers.
- blog.lumen.com: Black Lotus Labs : The Black Lotus Labs team reports on a backdoor attack tailored for use against enterprise-grade Juniper routers in a campaign dubbed "J-magic". This backdoor is opened by a passive agent that continuously monitors for a "magic packet," sent by the attacker in TCP traffic.
- cyberpress.org: Juniper Routers Magic Packet Vulnerability Exploited to Deliver Custom Backdoor
- www.bleepingcomputer.com: A malicious campaign has been specifically targeting Juniper edge devices, many acting as VPN gateways, with malware dubbed J-magic that starts a reverse shell only if it detects a "magic packet" in the network traffic.
- www.helpnetsecurity.com: A stealthy attack campaign turned Juniper enterprise-grade routers into entry points to corporate networks via the “J-magic� backdoor, which is loaded into the devices’ memory and spawns a reverse shell when instructed to do so.
- gbhackers.com: Juniper routers exploited via Magic Packet vulnerability to deploy custom backdoor
- : Black Lotus Labs : The Black Lotus Labs team reports on a backdoor attack tailored for use against enterprise-grade Juniper routers in a campaign dubbed 'J-magic'.
- Cyber Security News: Juniper Routers Magic Packet Vulnerability Exploited to Deliver Custom Backdoor
- gbhackers.com: Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor
- ciso2ciso.com: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet – Source: go.theregister.com
- The Register: Unknown attackers have been secretly inserting backdoors into Juniper routers in key sectors since mid-2023, potentially compromising a large number of critical devices.
- Pyrzout :vm:: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet – Source: go.theregister.com
- ciso2ciso.com: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet – Source: go.theregister.com
- Ars Technica: Backdoor infecting VPNs used “magic packets� for stealth and security J-Magic backdoor infected organizations in a wide array of industries.
- Ars OpenForum: Backdoor infecting VPNs used “magic packets� for stealth and security
- ciso2ciso.com: J-Magic malware campaign targets Juniper routers, using a passive agent to monitor network traffic for predefined "magic packets" to exploit.
- Pyrzout :vm:: J-magic malware campaign targets Juniper routers
- go.theregister.com: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet Who could be so interested in chips, manufacturing, and more, in the US, UK, Europe, Russia... Someone has been quietly backdooring selected Juniper routers around the world in key sectors including semiconductor, energy, and manufacturing, since at least mid-2023.…
- AAKL: Additional information about the Juniper router attack.
- Pyrzout :vm:: J-magic malware campaign targets Juniper routers – Source: securityaffairs.com
- The Hacker News: Custom Backdoor Exploiting Magic Packet Vulnerability in Juniper Routers
- Help Net Security: Juniper enterprise routers backdoored via "magic packet" malware
- securityaffairs.com: Threat actors are targeting Juniper routers with a custom backdoor in a campaign called "J-magic." Attackers exploit a "Magic Packet" flaw to deliver the malware.
- Threats | CyberScoop: Researchers at Black Lotus Labs have uncovered an operation where a back door is dropped onto enterprise-grade Juniper Networks routers and listens for specific network signals, known as “magic packets,� to execute malicious commands.
- BleepingComputer: A malicious campaign has been specifically targeting Juniper edge devices, many acting as VPN gateways, with malware dubbed J-magic that starts a reverse shell only if it detects a "magic packet" in the network traffic.
- aboutdfir.com: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet
- The Register - Security: Initial report on the backdoor campaign
- aboutdfir.com: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet Someone has been quietly backdooring selected Juniper routers around the world in key sectors including semiconductor, energy, and manufacturing, since at least mid-2023. The devices were infected with what appears to be a variant of cd00r, a publicly available […] The post appeared first on .
@Talkback Resources
//
Juniper Networks has addressed a critical authentication bypass vulnerability, identified as CVE-2025-21589, affecting its Session Smart Router, Session Smart Conductor, and WAN Assurance Managed Router products. The vulnerability allows a network-based attacker to bypass authentication and gain administrative control over affected devices. The severity of the flaw is highlighted by its critical CVSS score of 9.8.
Juniper has released updated software versions to mitigate this issue, including SSR-5.6.17, SSR-6.1.12-lts, SSR-6.2.8-lts, and SSR-6.3.3-r2, advising users to upgrade their affected systems promptly. For conductor-managed deployments, upgrading only the Conductor nodes is sufficient, while WAN Assurance users connected to the Mist Cloud have already received automatic patches. It was found through internal security testing.
Recommended read:
References :
- securityaffairs.com: Juniper Networks fixed a critical flaw in Session Smart Routers
- Talkback Resources: Juniper Session Smart Routers Vulnerability Could Let Attackers Bypass Authentication [exp] [net]
- securityonline.info: CVE-2025-21589 (CVSS 9.8): Critical Authentication Bypass Flaw in Juniper Session Smart Routers
- securityonline.info: CVE-2025-21589 (CVSS 9.8): Critical Authentication Bypass Flaw in Juniper Session Smart Routers
- The Hacker News: Juniper Session Smart Routers Vulnerability Could Let Attackers Bypass Authentication
- www.bleepingcomputer.com: Juniper Patches Critical Auth Bypass in Session Smart Routers
- www.heise.de: Juniper Session Smart Router: Security leak enables takeover
- Vulnerability-Lookup: Vulnerability ncsc-2025-0062 has received a comment on Vulnerability-Lookup: 2025-02: Out-of-Cycle Security Bulletin: Session Smart Router, Session Smart Conductor, WAN Assurance Router: API Authentication Bypass Vulnerability (CVE-2025-21589)
- BleepingComputer: Infosec Exchange Post: Juniper Networks has patched a critical vulnerability that allows attackers to bypass authentication and take over Session Smart Router (SSR) devices.
- socradar.io: Security Flaws in OpenSSH and Juniper Networks Demand Action (CVE-2025-26465, CVE-2025-26466, and CVE-2025-21589)
- Talkback Resources: CVE-2025-21589 (CVSS 9.8): Critical Authentication Bypass Flaw in Juniper Session Smart Routers [app] [net]
- BleepingComputer: ​Juniper Networks has patched a critical vulnerability that allows attackers to bypass authentication and take over Session Smart Router (SSR) devices.
- Anonymous ???????? :af:: Juniper Networks has patched a critical vulnerability that allows attackers to bypass authentication and take over Session Smart Router (SSR) devices.
- cyble.com: Major Security Flaw in Juniper Networks Routers: How to Protect Your Systems
Sergiu Gatlan@BleepingComputer
//
Cybersecurity agencies from the Five Eyes alliance, including the UK, Australia, Canada, New Zealand, and the U.S., have jointly released new guidance aimed at enhancing the security of network edge devices. The advisory urges manufacturers of these devices and appliances to improve forensic visibility, thereby empowering defenders to more effectively detect and investigate cyberattacks and data breaches. Network edge devices, such as firewalls, routers, VPN gateways, internet-facing servers, and IoT devices, are frequently targeted by both state-sponsored and financially motivated threat actors.
Such devices are often targeted to infiltrate critical infrastructure networks and systems. By improving forensic visibility, organizations can achieve quicker detection and response to security incidents, mitigating potential damage and downtime. The guidance is intended for both device manufacturers and critical infrastructure owners and operators. Additional resources and detailed information can be found on the websites of the participating cyber agencies, including those of Australia, Canada, the UK, and the US.
Recommended read:
References :
- BleepingComputer: InfoSec Exchange - Five Eyes cybersecurity agencies in the UK, Australia, Canada, New Zealand, and the U.S. have issued guidance urging makers of network edge devices and appliances to improve forensic visibility to help defenders detect attacks and investigate breaches.
- BleepingComputer: Cyber agencies share security guidance for network edge devices
- bsky.app: InfoSec Exchange - Cyber agencies from the Five Eyes, Australia, Canada, New Zealand, the UK, and the US, released guidance on securing network edge devices
- www.bleepingcomputer.com: Five Eyes cybersecurity agencies in the UK, Australia, Canada, New Zealand, and the U.S. have issued guidance urging makers of network edge devices and appliances to improve forensic visibility to help defenders detect attacks and investigate breaches.
- bsky.app: Five Eyes cybersecurity agencies in the UK, Australia, Canada, New Zealand, and the U.S. have issued guidance urging makers of network edge devices and appliances to improve forensic visibility to help defenders detect attacks and investigate breaches. https://www.bleepingcomputer.com/news/security/cyber-agencies-share-security-guidance-for-network-edge-devices/
- www.securityweek.com: SecurityWeek - Five Eyes Agencies Release Guidance on Securing Edge Devices
- www.cyber.gc.ca: Cyber agencies from the Five Eyes, Australia, Canada, New Zealand, the UK, and the US, released guidance on securing network edge devices
- SecurityWeek: Five Eyes agencies release guidance on securing edge devices
- Krypt3ia: The UK’s leading cybersecurity agency and its Five Eyes peers have produced new guidance for manufacturers of edge devices designed to improve baseline security.
@ciso2ciso.com
//
Cybersecurity researchers have uncovered three critical security flaws in Planet Technology's WGS-804HPT industrial switches. These vulnerabilities, detailed in a report by Claroty, can be chained together to achieve pre-authentication remote code execution. The vulnerabilities stem from weaknesses in the dispatcher.cgi interface used for web services, and include an integer underflow flaw (CVE-2024-52558) and two high severity flaws with a CVSS score of 9.8; an operating system command injection flaw (CVE-2024-52320) and a stack-based buffer overflow flaw (CVE-2024-48871)
These switches are widely deployed in building and home automation systems, making the vulnerabilities a significant concern. Successful exploitation could allow attackers to embed malicious shellcode into HTTP requests, enabling them to execute operating system commands and gain control over the network. Planet Technology has released patches addressing these issues with version 1.305b241111, made available on November 15, 2024. Users of these switches are urged to apply the patches immediately to protect against potential attacks.
Recommended read:
References :
- ciso2ciso.com: Critical Flaws in WGS-804HPT Switches Enable RCE and Network Exploitation – Source:thehackernews.com
- The Hacker News: Critical Flaws in WGS-804HPT Switches Enable RCE and Network Exploitation
- ciso2ciso.com: Planet WGS-804HPT Industrial Switch flaws could be chained to achieve remote code execution – Source: securityaffairs.com
- Security Risk Advisors: Vulnerabilities in Planet WGS-804HPT Industrial Switch Expose Critical Risks
- securityaffairs.com: Planet WGS-804HPT Industrial Switch flaws could be chained to achieve remote code execution
- sra.io: Vulnerabilities in Planet WGS-804HPT Industrial Switch Expose Critical Risks
|
|
FlagThis - #networksecurity