File integrity protections were bypassed: Attackers’ initial access to the Juniper MX routers analyzed by Mandiant seems to have been achieved with legitimate credentials. While UNC3886 has developed and used zero-day exploits to compromise network-edge devices in the past, the group actively performs credential collection on compromised networks for lateral movement to support its goal of long-term persistent access.Junos OS provides administrators with a custom command-line interface (CLI) that allows issuing Junos specific commands, but also the ability to switch to the underlying FreeBSD shell and use the general FreeBSD command-line tools and programs.The OS also implements a modified variant of the NetBSD Verified Exec (veriexec), a kernel-based file integrity verification subsystem whose goal is to protect against the execution of unauthorized binaries. As such, deploying and running any malware implant requires a bypass of this feature or disabling it entirely, which could raise alerts.UNC3886 developed a complex process injection technique in order to bypass variexec by creating a hung process using the built-in and legitimate cat utility, writing a malicious shellcode loader to specific memory locations assigned to the cat process and then tricking the process to execute that code. Since the malicious code execution happened through a trusted process, variexec was bypassed.
Highly customized TINYSHELL variants were used: The shellcode loader was then used to execute a position independent code (PIC) variant of TINYSHELL stored in a file called lmpad, which mimicks the name of the legitimate lmpd (link management protocol daemon) process.In addition to the standard TINYSHELL capabilities, remote file upload, remote file download and remote shell session, the lmpad variant can hook into two legitimate Junos OS processes to disable logging before a remote operator connects to the backdoor.”The main purpose of this malware is to disable all possible logging before the operator connects to the router to perform hands-on activities and then later restore the logs after the operator disconnects,” the researchers said.The backdoor contains five custom commands. In addition to the default TINYSHELL functionality, these allow the disabling and restoring of logging functions, the encryption of the interactive shell session traffic over UDP, the backup and restore of the Juniper router configuration database and updating the communication socket timeout value.But lmpad is just one of six different TINYSHELL variants that UNC3886 deployed on various compromised routers. Each of these had significantly different customizations and Junos-related capabilities added to them.
The attacks employed operational relay box networks: Another variant called appid, masquerading as the legitimate appidd (application identification daemon), is an active backdoor in addition to being a passive one that waits for incoming connections. The backdoor actively tries to establish connection with a list of four hardcoded IP addresses that are part of an ORB network and point to a command-and-control (C2) server.Operational relay box (ORB) networks are essentially botnets of compromised devices and virtual private servers that are used to proxy malicious traffic. They have become a commonly used asset by Chinese cyberespionage groups in recent year and their goal is to complicate attribution.Another instance of this TINYSHELL variant with different hardcoded C2 IP addresses was observed with the file name “to”, which likely mimics the legitimate binary called top (table of processes).A fourth variant, using the name irad, implements a libpcap-based packet sniffer to monitor traffic over all network interfaces and wait for a magic packet in an ICMP ECHO request to activate its active backdoor functionality.The fifth variant, jdosd was likely named after the Juniper DDOS protection daemon (jddosd) process and is a passive backdoor implementation that binds to UDP port 33512 and uses a custom RC4 implementation to encrypt traffic.Finally, sample six, called oemd after the legitimate operation, administration, and maintenance daemon (oamd), communicated with the C2 server over TCP instead of UDP and the traffic is encrypted with AES. Its configuration is stored in environment variables.All the samples use a custom AF_ROUTE socket to communicate with the OS routing subsystem. This socket uses custom messages and is specific to Junos OS. Running the samples on a standard FreeBSD installation would result in an invalid socket error, making it clear that these samples were created specifically for Junos OS and the attackers have spent time understanding the OS networking internals.”The compromise of routing devices is a recent trend in the tactics of espionage-motivated adversaries as it grants the capability for a long-term, high-level access to the crucial routing infrastructure, with a potential for more disruptive actions in the future,” the Mandiant researchers warned. “A concerted effort is required to safeguard these critical systems and ensure the continued stability and security of the internet.”
How to mitigate attacks on Juniper routers: Another reason why attackers are going after such devices is because they generally lack advanced security monitoring and detection capabilities, such as the ability to deploy endpoint detection and response (EDR) agents on them. The Google Threat Intelligence and Mandiant team make the following recommendations in order to better protect such devices:
Organizations should upgrade their Juniper devices to the latest images which contain mitigations and updated signatures for JMRT and run JMRT Quick Scan and Integrity check after the upgrade.Implement a centralized identity and access management (IAM) system with robust multifactor authentication (MFA) and granular role-based access control (RBAC) for managing network devices.Implement a network configuration management that supports configuration validation against defined templates and standards, with the ability to automatically remediate deviations or trigger alerts for manual intervention.Address and prioritize high-risks administrative activities and implement monitoring solutions with a process to regularly review the effectiveness of detection.Prioritize patching and mitigation of vulnerabilities in network devices, including those in lesser-known operating systems.Implement a device lifecycle management program that includes proactive monitoring, automated software updates, and end-of-life (EOL) replacement planning to ensure network devices are always supported and secure.Strengthen the security posture of network devices, administrative devices and systems used for managing network devices by implementing strict access controls, network segmentation, and other security measures.Proactively leverage threat intelligence to continually evaluate and improve the effectiveness of security controls against emerging threats.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3844122/chinese-cyberespionage-group-deploys-custom-backdoors-on-juniper-routers.html
