News: 1737803533

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet

(2025/01/25)


Someone has been quietly backdooring selected Juniper routers around the world in key sectors including semiconductor, energy, and manufacturing, since at least mid-2023.

The devices were infected with what appears to be a variant of [1]cd00r , a publicly available "invisible backdoor" designed to operate stealthily on a victim's machine by monitoring network traffic for specific conditions before activating.

It's not yet publicly known how the snoops gained sufficient access to certain organizations' Junos OS equipment to plant the backdoor, which gives them remote control over the networking gear. What we do know is that about half of the devices have been configured as VPN gateways.

[2]

Once injected, the backdoor, dubbed J-magic by Black Lotus Labs this week, resides in memory only and passively waits for one of five possible network packets to arrive. When one of those magic packet sequences is received by the machine, a connection is established with the sender, and a followup challenge is initiated by the backdoor. If the sender passes the test, they get command-line access to the box to commandeer it.

[3]

[4]

As Black Lotus Labs explained in [5]this research note on Thursday: "Once that challenge is complete, J-Magic establishes a reverse shell on the local file system, allowing the operators to control the device, steal data, or deploy malicious software."

While it's not the first-ever discovered [6]magic packet [PDF] malware, the team wrote, "the combination of targeting Junos OS routers that serve as a VPN gateway and deploying a passive listening in-memory-only agent, makes this an interesting confluence of tradecraft worthy of further observation."

[7]

Juniper did not respond to The Register 's inquiries.

Black Lotus Labs said it spotted J-Magic on VirusTotal, and the researchers said the earliest sample had been uploaded in September 2023.

The malware creates an eBPF filter to monitor traffic to a specified network interface and port, and waits until it receives any of five specifically crafted packets from the outside world. If one of these magic packets – described in the lab's report – shows up, the backdoor connects to whoever sent the magic packet using SSL; sends a random, five-character-long alphanumeric string encrypted using a hardcoded public RSA key to the sender; and if the sender can decrypt the string using the private half of the key pair and send it back to the backdoor to verify, the malware will start accepting commands via the connection to run on the box.

[8]

"We suspect that the developer has added this RSA challenge to prevent other threat actors from spraying the internet with magic packets to enumerate victims and then simply repurposing the J-Magic agents for their own purposes, as other nation-state actors are known for exhibiting that [9]parasitic tradecraft such as Turla ," the lab's threat hunters wrote.

Assuming the attacker successfully completes the challenge, they have full access to the router, leaving the victim organization vulnerable to further compromise.

[10]Mystery miscreant remotely bricked 600,000 SOHO routers with malicious firmware update

[11]One of Salt Typhoon's favorite flaws still wide open on 91% of at-risk Exchange Servers

[12]Ransomware scum make it personal for Reg readers by impersonating tech support

[13]Don't want your Kubernetes Windows nodes hijacked? Patch this hole now

These victims span the globe, with the researchers documenting companies in the US, UK, Norway, the Netherlands, Russia, Armenia, Brazil, and Colombia. They included a fiber optics firm, a solar panel maker, manufacturing companies including two that build or lease heavy machinery, and one that makes boats and ferries, plus energy, technology, and semiconductor firms.

While most of the targeted devices were Juniper routers acting as VPN gateways, a more limited set of targeted IP addresses had an exposed NETCONF port, which is commonly used to help automate router configuration information and management.

This suggests the routers are part of a larger, managed fleet such as those in a network service provider, the researchers note.

"We suspect these devices were targeted for their central role in the routing ecosystem," they added. "As routers that are configured with network filters, settings, policies, tracking, and controls, they are valuable as targets for attackers who may want to pivot or persist within an ecosystem."

Black Lotus Labs also published a full list of indicators of compromise, so we'd suggest giving those a read on the security shop's [14]GitHub page . ®

Get our [15]Tech Resources



[1] https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z5UYt3Bf6DiqvlhPhXaoRgAAAUg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z5UYt3Bf6DiqvlhPhXaoRgAAAUg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z5UYt3Bf6DiqvlhPhXaoRgAAAUg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://blog.lumen.com/the-j-magic-show-magic-packets-and-where-to-find-them/

[6] https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z5UYt3Bf6DiqvlhPhXaoRgAAAUg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z5UYt3Bf6DiqvlhPhXaoRgAAAUg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[9] https://blog.lumen.com/snowblind-the-invisible-hand-of-secret-blizzard

[10] https://www.theregister.com/2024/05/31/pumoking_eclipse_remote_router_attack/

[11] https://www.theregister.com/2025/01/23/proxylogon_flaw_salt_typhoons_open/

[12] https://www.theregister.com/2025/01/22/ransomware_crews_abuse_microsoft_teams/

[13] https://www.theregister.com/2025/01/24/kubernetes_windows_nodes_bug/

[14] https://github.com/blacklotuslabs/IOCs/blob/main/Jmagic_IOCs.txt

[15] https://whitepapers.theregister.com/



Junos OS

I Am Spartacus

Anyone remember when routers were just routers. You booted your Cisco routers and they loaded from the master configuration. Not some botched implementation of FreeBSD. Oh those were that days. Sure they didn't do much more than, well, route packets. But they were secure (apart from the ones that the NSA installed their custom chips in, alledgedly). Mind you, I also remember some PFY deciding to "upgrade" the config files and losing all of them.

Re: Junos OS

Anonymous Coward

For the last two years, "Junos OS Evolved" now runs on a linux kernel.

Single Packet Authentication FTW, eh?

pitrh

Oh, nice to see somebody actually implemented Singoe Packet Authentication on an industrial scale.

I'm sure portknockers-turned-SPAfanbois will be proud.

For background, this reminds me strongly of of the fortunately long gone days of the noughties through the early twenty-teens when those who thought port knocking was an excellent idea, only to be more or less replaced by the Much More Secure And Actually Excellent idea of Single Packet Authentication.

I wrote a rant about port knocking way back when, "Why Not Use Port Knocking?" (https://nxdomain.no/~peter/why_not_use_port_knocking.html, really part of the "Hail Mary Cloud" sequence -- summary up at https://nxdomain.no/~peter/hailmary_lessons_learned.html).

I suppose you can say at least in some security contexts, size actually matters (at least the size of the data your adversary needs to get right in order to gain access).

It's not cyber war yet...

Fido

When does the prepositioning end and the first cyber war begin?

Prejudice:
A vagrant opinion without visible means of support.
-- Ambrose Bierce