Photo credit: www.darkreading.com
A significant number of organizations have fallen victim to malware targeting routers, employing a method known as packet sniffing to maintain a low profile. This campaign, dubbed “J-magic” by Black Lotus Labs, specifically targets Juniper routers rather than the more commonly attacked Cisco devices, focusing on those located at the periphery of critical networks.
The malware utilizes a variant of a backdoor known as “cd00r,” which has been around for roughly 25 years. This backdoor remains inactive until it receives a specific trigger known as a “magic packet.” Once activated, it opens a reverse shell, allowing attackers to steal sensitive information, alter device configurations, and propagate malware to other systems.
Danny Adamitis, a principal information security engineer at Black Lotus Labs, emphasizes the growing threats in enterprise environments. He notes, “Although much focus has been placed on small office and home office devices, enterprise devices are equally at risk because they often lack adequate endpoint detection and response (EDR) systems.” These routers, typically positioned before a firewall, are not equipped with monitoring tools like Sysmon, making them harder to detect for potential attacks.
Backdoor Malware Infests Juniper Routers
The exact method by which attackers gain initial access to these routers remains unclear, but the vulnerabilities they exploit are well-documented. Approximately 50% of the affected Juniper routers served as virtual private network (VPN) gateways, while the rest had exposed Network Configuration Protocol (NETCONF) ports, which allow for remote network administration but also provide an avenue for malicious access. As critical entry points into larger networks, these routers present lucrative opportunities for cybercriminals.
To carry out their attacks, the adversaries position the cd00r malware to monitor all TCP traffic entering the edge device. They await one of five predetermined packets that meet certain criteria, acting as activation signals. When the correct packet is received, it triggers a reverse shell connection to the attacker’s IP address using the port specified in the magic packet.
This method is particularly effective in circumventing the limited detection capabilities typically employed by network defenders. Adamitis explains, “Normally, monitoring traffic from a firewall allows you to identify regular beaconing activity. If there’s constant outbound communication, it can be flagged as suspicious. However, this malware doesn’t generate that kind of repetitive traffic, making it difficult to detect.”
The activation of a J-magic attack does not conclude with just the reception of the magic packet. To verify that the access is being initiated by an actual attacker, the cd00r backdoor sends an encrypted “challenge” string. Only when this string is returned using the attacker’s private key does full control of the reverse shell transfer to them, giving them the ability to manipulate the infected router, steal data, and deploy additional malware.
Evidence suggests that infections related to J-magic started appearing around September 2023. However, a marked increase in incidents has been noted in the spring and summer of 2024, spreading to regions including the United States, United Kingdom, Russia, Norway, and India, with impact on various sectors such as construction, bioengineering, insurance, and IT services.
Blind Spot in Edge Network Cybersecurity
An interesting aspect of the cd00r backdoor is its longevity; this malware, despite its 25-year history, continues to pose a significant threat. Initially developed as a proof-of-concept in 2000 on the website Packet Storm, its ability to remain effective into 2025 serves as a reminder of the vulnerabilities that persist in edge network cybersecurity.
Adamitis points out, “While corporate laptops are typically protected with tools like Windows Defender and various EDR solutions, edge devices frequently lack any security measures.” He argues that this absence provides attackers a hidden opportunity to exploit these older malware variants without detection.
He further notes, “The reporting surrounding enterprise-grade routers is often sparse. Our findings indicate a potential gap in visibility concerning perimeter defenses that needs to be addressed.” This underscores the need for heightened awareness and improved security measures for edge networks to mitigate risks associated with such outdated malware.
Source
www.darkreading.com