Chinese hackers attack Juniper Networks routers, immediate patching is recommended.

Mandiant researchers have identified a new cyberattack campaign targeting Juniper Networks routers, attributed to a group of Chinese actors. This group has primarily focused its efforts on telecommunications, defense, and technology companies, both in the United States and Asia. In a detailed analysis published recently, Mandiant highlighted that these malicious activities were first detected in mid-2024 and are associated with the espionage group UNC3886, known for its previous attacks on products like VMware and Ivanti VPN, using backdoors and other types of malware.

The attackers have exploited a critical vulnerability in Juniper's Session Smart routers, managing to bypass Veriexec, a file integrity subsystem of the Junos operating system that protects against the execution of unauthorized code. Researchers explained that these attackers can execute malicious code by injecting it into the memory of legitimate processes, allowing them to evade the defenses meant to protect the system.

Mandiant has identified six distinct malware samples used by UNC3886, all variants of the TINYSHELL backdoor, which have unique capabilities. While they share the same basic functionality, they differ in activation methods and specific features for different operating systems.

Experts recommend that users of Juniper devices update their software to the latest versions, which include mitigations and updated signatures for the Juniper Malware Removal Tool (JMRT). After the update, it is advisable to use this tool to verify the integrity of endpoints.

Additionally, Mandiant emphasized that they have not found technical correlations between the activities of UNC3886 and those publicly reported by other groups known as Volt Typhoon or Salt Typhoon, suggesting that these could be distinct entities, although potentially operating under the same umbrella.