Full Report
Researchers from Mandiant identified that threat actors have been deploying custom backdoors on Juniper Networks’ Junos OS routers... The post Mandiant uncovers custom backdoors on Juniper Junos OS routers, linked to Chinese espionage group UNC3886 appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: UNC3886
## Attribution & Identity
Attributed to a China-linked espionage group. No publicly reported overlap was found with Volt Typhoon or Salt Typhoon activities by Mandiant.
## Activity Summary
Threat actors have been deploying custom backdoors, based on TINYSHELL, on Juniper Networks’ Junos OS routers since mid-2024. The actors are compromising networking infrastructure, including routers used by Internet Service Providers (ISPs), demonstrating in-depth knowledge of advanced system internals. They target network authentication services (like TACACS+) and terminal servers to gain privileged initial access to Junos OS shell mode. The operations prioritize stealth and long-term persistence through passive backdoors and log tampering.
## Tactics, Techniques & Procedures
- Deployment of custom backdoors based on the public TINYSHELL (written in C using a custom binary protocol).
- Use of active and passive backdoor functions.
- Embedded scripts designed to disable logging mechanisms.
- Process injection to run malware.
- Bypassing the Junos OS Verified Exec (veriexec) subsystem protection (though the specific bypass technique was obscured on EOL devices).
- Compromising TACACS+ daemon by replacing the binary with a backdoored version to capture credentials.
- Utilizing PITHOOK along with a custom SSH server (based on wzshiming/sshd) to hijack SSH authentications and capture credentials.
- Using utilities for persistence: REPTILE and MEDUSA with SEAELF loader and BUSYBOX.
- Use of GHOSTTOWN malware for anti-forensics purposes.
- Previously focused on utilizing legitimate credentials for lateral movement.
## Targeting
- Sectors: Defense, Technology, Telecommunications organizations, and Internet Service Providers (ISPs).
- Geography: U.S. and Asia.
- Victims: Organizations utilizing end-of-life (EOL) Juniper MX routers; generally targets network edge and internal networking infrastructure devices.
## Tools & Infrastructure
- **Malware families used:** Custom backdoors based on **TINYSHELL**, **REPTILE**, **MEDUSA**, **GHOSTTOWN**, **PITHOOK**.
- **Infrastructure:** Custom C2 communications using a custom binary protocol (observed with TINYSHELL); custom SSH server based on wzshiming/sshd. No specific C2 domains or IPs were defanged/mentioned in the provided text.
## Implications
UNC3886 is continuing its campaign of compromising critical networking infrastructure to establish long-term, high-level access to victim networks. Their focus on network devices (which often lack EDR solutions) enhances stealth. Compromise of core routing infrastructure introduces potential for significant future disruption. The actors demonstrate sophisticated capabilities in system internals and anti-forensics.
## Mitigations
- Upgrade Juniper devices to the latest software images released by Juniper Networks, which include mitigations and updated signatures for the Juniper Malware Removal Tool (JMRT).
- Run the JMRT Quick Scan and Integrity Check after the upgrade.
- Implement a centralized Identity and Access Management (IAM) system with multi-factor authentication (MFA) and role-based access control (RBAC).
- Enhance monitoring of high-risk activities on network devices.
- Prioritize vulnerability management, specifically addressing EOL hardware/software.
- Establish a device lifecycle management program.
- Strengthen security through enhanced access controls and network segmentation.