Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet

[max_1]

Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet

Original Article link : [Please login or register to view this link]
Additional links : [Please login or register to view this link]

These days news is taken down faster than a Amsterdam hoe's pants so as a policy I copy and paste the original contents with a screen clipping, all available within the spoiler below:

► Show Spoiler

Who could be so interested in chips, manufacturing, and more, in the US, UK, Europe, Russia...
[Please login or register to view this link]
Sat 25 Jan 2025 // 11:12 UTC

Someone has been quietly backdooring selected Juniper routers around the world in key sectors including semiconductor, energy, and manufacturing, since at least mid-2023.

The devices were infected with what appears to be a variant of cd00r, (Click the spoiler link below to view and download the pdf on cd00r)

► Show Spoiler

a publicly available "invisible backdoor" designed to operate stealthily on a victim's machine by monitoring network traffic for specific conditions before activating.

It's not yet publicly known how the snoops gained sufficient access to certain organizations' Junos OS equipment to plant the backdoor, which gives them remote control over the networking gear. What we do know is that about half of the devices have been configured as VPN gateways.

Once injected, the backdoor, dubbed J-magic by Black Lotus Labs this week, resides in memory only and passively waits for one of five possible network packets to arrive. When one of those magic packet sequences is received by the machine, a connection is established with the sender, and a follow up challenge is initiated by the backdoor. If the sender passes the test, they get command-line access to the box to commandeer it.

As Black Lotus Labs explained in [Please login or register to view this link] on Thursday: "Once that challenge is complete, J-Magic establishes a reverse shell on the local file system, allowing the operators to control the device, steal data, or deploy malicious software."

While it's not the first-ever discovered magic packet
Click the below spoiler button to view the pdf on magic packets

► Show Spoiler

malware, the team wrote, "the combination of targeting Junos OS routers that serve as a VPN gateway and deploying a passive listening in-memory-only agent, makes this an interesting confluence of tradecraft worthy of further observation."

Juniper did not respond to The Register's inquiries.

Black Lotus Labs said it spotted J-Magic on VirusTotal, and the researchers said the earliest sample had been uploaded in September 2023.

The malware creates an eBPF filter to monitor traffic to a specified network interface and port, and waits until it receives any of five specifically crafted packets from the outside world. If one of these magic packets – described in the lab's report – shows up, the backdoor connects to whoever sent the magic packet using SSL; sends a random, five-character-long alphanumeric string encrypted using a hardcoded public RSA key to the sender; and if the sender can decrypt the string using the private half of the key pair and send it back to the backdoor to verify, the malware will start accepting commands via the connection to run on the box.

"We suspect that the developer has added this RSA challenge to prevent other threat actors from spraying the internet with magic packets to enumerate victims and then simply repurposing the J-Magic agents for their own purposes, as other nation-state actors are known for exhibiting that [Please login or register to view this link] the lab's threat hunters wrote.

Assuming the attacker successfully completes the challenge, they have full access to the router, leaving the victim organization vulnerable to further compromise.

• [Please login or register to view this link]
• [Please login or register to view this link]
• [Please login or register to view this link]
• [Please login or register to view this link]

These victims span the globe, with the researchers documenting companies in the US, UK, Norway, the Netherlands, Russia, Armenia, Brazil, and Colombia. They included a fiber optics firm, a solar panel maker, manufacturing companies including two that build or lease heavy machinery, and one that makes boats and ferries, plus energy, technology, and semiconductor firms.

While most of the targeted devices were Juniper routers acting as VPN gateways, a more limited set of targeted IP addresses had an exposed NETCONF port, which is commonly used to help automate router configuration information and management.

This suggests the routers are part of a larger, managed fleet such as those in a network service provider, the researchers note.

"We suspect these devices were targeted for their central role in the routing ecosystem," they added. "As routers that are configured with network filters, settings, policies, tracking, and controls, they are valuable as targets for attackers who may want to pivot or persist within an ecosystem."

Black Lotus Labs also published a full list of indicators of compromise, so we'd suggest giving those a read on the security shop's [Please login or register to view this link]

The Review

If you read the highlighted words it would strongly suggest that a well organised entity with "special access" has and is using this method to hack. Points to note:

• It's not a random and unconfigured magic packets used but an encrypted magic packet with SSL and RSA level encryption with both a public and private key involved, this is to ensure "exclusive access" to the hacker without the threat of other hackers
• This method of attack is not from your pre-pubescent bedroom hacker but a very well organised and highly qualified group of attackers.
• The key focus here is to see that the attackers want to control the manufacturing process
• They want specifically to gain access to semiconductors refers to a material that can be altered to conduct electrical current or block its passage.
• Another question to ask is "Exactly who executed this type of attack within the last year?"
• And lastly you need to know that Juniper OS is owned and written by Juniper Networks company which is owned by HP! Hewlett Packard. see [Please login or register to view this link] article in the boycott list forum
• Why have both Juniper Networks and HP refuse to comment?

All of this points to Israhell, yes you can call me a conspiracy theorist however the facts to consider lead to only one entity. You are welcome to disagree with an explanation.

Israhell has set off the electrical overcharge on communications devices Hamas were using, could this be the method used?