- Researchers from Mandiant saw a new hacking campaign targeting Juniper Networks routers
- They attributed it to a Chinese actor, targeting telcos, defense, and tech firms
- Users are urged to upgrade and scan their devices
Chinese hackers are targeting Juniper Networks routers with different modifications of a backdoor malware, in an attempt to access defense, technology, and telecommunications organizations in the US, and Asia.
Google’s cybersecurity team Mandiant wrote an in-depth analysis on the group earlier today. As per the report, the researchers first spotted malicious activity in mid-2024, and attributed it to the China-nexus espionage group UNC3886.
TechRadar Pro has reported about this threat actor on numerous occasions in the past, when they were observed targeting VMware, Ivanti VPN, and other products, with backdoors and malware.
Six malware samples
Mandiant says that the attackers infiltrated Junos OS-powered devices by circumventing Veriexec, (Verified Exec), the device’s kernel-based file integrity subsystem that protects the OS from unauthorized code binaries such as libraries and scripts.
“Execution of untrusted code is still possible if it occurs within the context of a trusted process,” the researchers explained. “Mandiant’s investigation revealed that UNC3886 was able to circumvent this protection by injecting malicious code into the memory of a legitimate process.”
UNC3886 targeted its victims with six distinct malware samples, all of which are a variant of the TINYSHELL backdoor with unique capabilities. While all have the same core backdoor functionality, they differ in terms of activation methods and different OS-specific features.
Mandiant says that the attackers “continue to show a deep understanding of the underlying technology” of the appliances being targeted, and recommended users upgrade their Juniper devices to the latest images. These include mitigations and updated signatures for the Juniper Malware Removal Tool (JMRT), which should be activated after the upgrade to scan the integrity of the endpoints.
“At the time of writing, Mandiant has not identified any technical overlaps between activities detailed in this blog post and those publicly reported by other parties as Volt Typhoon or Salt Typhoon,” Mandiant added, suggesting that Salt Typhoon, Volt Typhoon, and UNC3886, are distinct entities (but possibly working under the same umbrella).
