Full Report
Beginning December 11, customers started reporting “suspicious behavior” on their Session Smart Routers, Juniper says, and they had one thing in common: They were still using the factory-set passwords on the devices.
Analysis Summary
# Incident Report: Widespread Mirai Infection via Default Router Credentials
## Executive Summary
Security incidents involving Juniper Session Smart Routers were reported starting in early December 2024, caused by a variant of Mirai malware exploiting devices still utilizing factory-default passwords. Infected devices were subsequently leveraged as sources for Distributed Denial of Service (DDoS) attacks, flooding external websites with junk traffic. Juniper advised customers to immediately change default credentials and, in confirmed cases of infection, to completely reimage the affected routers to ensure complete eradication.
## Incident Details
- Discovery Date: Beginning December 11, 2024
- Incident Date: Ongoing upon discovery; exploitation likely occurred prior to customer reports.
- Affected Organization: Juniper Networks customers utilizing Session Smart Routers.
- Sector: Information Technology/Networking Equipment (Vendor Advisory Context)
- Geography: Not explicitly disclosed, but impacts customers globally.
## Timeline of Events
### Initial Access
- Date/Time: Prior to and ongoing from December 11, 2024.
- Vector: Automated scanning targeting Juniper Session Smart Routers with default/factory-set passwords.
- Details: A variant of Mirai malware actively scanned the internet for vulnerable Juniper Session Smart Routers that had not had their default credentials changed.
### Lateral Movement
- *Not explicitly detailed in the advisory, but the nature of Mirai suggests command and control establishment post-infection.*
### Data Exfiltration/Impact
- **Impact:** Infected devices were observed being used as infrastructure to launch Distributed Denial of Service (DDoS) attacks against unspecified websites, flooding them with junk traffic. Mirai is also capable of spreading cryptominers or facilitating click fraud.
### Detection & Response
- **Detection:** Customers began reporting "suspicious behavior" on their Session Smart Routers starting December 11, 2024.
- **Response Actions:** Juniper Networks released an advisory detailing the vulnerability (default passwords) and provided corrective actions.
## Attack Methodology
Based on the known behavior of Mirai and the details provided:
- **Initial Access:** Exploitation of weak/default administrative credentials on network devices (Juniper Session Smart Routers).
- **Persistence:** Likely established a persistent presence on the router to maintain inclusion in the botnet.
- **Privilege Escalation:** Not necessary, as access was gained directly via administrative credentials.
- **Defense Evasion:** Exploiting known, unpatched configurations (default passwords) rather than complex software exploits.
- **Credential Access:** Direct use of default credentials as the primary authentication mechanism.
- **Discovery:** Automated scanning to identify devices hosting the vulnerable configuration.
- **Lateral Movement:** Not the primary focus; the goal was botnet recruitment.
- **Collection:** N/A (Botnet recruitment for external attacks).
- **Exfiltration:** N/A (Primary goal was resource hijacking for DDoS).
- **Impact:** Resource exhaustion and usage in external DDoS attacks.
## Impact Assessment
- **Financial:** Costs associated with remediation (staff time, potential service disruption from DDoS attacks). No specific figures provided.
- **Data Breach:** No mention of customer data theft; impact was related to device hijacking and resource abuse.
- **Operational:** Potential disruption to network operations for affected users due to malware presence and the use of their devices in DDoS campaigns.
- **Reputational:** Negative impact on the perception of the security posture of affected Session Smart Router installations.
## Indicators of Compromise
*Note: Actual indicators (IPs, specific file names, hashes) were not provided in this summary, only behaviors.*
- **Network indicators:** Increased outbound internet traffic spikes, unusual port scanning originating from the router.
- **File indicators:** N/A (Malware artifacts not cataloged in this summary).
- **Behavioral indicators:** Unusual CPU spikes, unrecognized persistent services, successful logins using factory default usernames/passwords on administrative interfaces.
## Response Actions
- **Containment:** Immediate action advised was changing the default password to a strong, unique password.
- **Eradication:** For confirmed infections, Juniper stated the **only certain way** to stop the threat is by **reimaging the system**.
- **Recovery:** Monitoring for suspicious network activity post-remediation (e.g., scanning, login attempts).
## Lessons Learned
- **Key Takeaways:** Default secure configurations (i.e., changing factory settings) remain a critical failure point for IoT and network infrastructure security. Automated scanning for default credentials is a common and successful attack vector.
- **What could have been done better:** Users failed to adhere to basic security hardening procedures immediately following device deployment.
## Recommendations
- Immediately audit all Juniper Session Smart Routers (and other network devices) to ensure factory/default passwords have been replaced with strong, unique credentials.
- Implement continuous monitoring for unauthorized outbound traffic spikes or excessive login attempts directed at management interfaces.
- For any device confirmed to host Mirai or similar malware, perform a full system reimage to guarantee complete eradication.