Mandiant’s discovery in mid-2024 revealed that the China-nexus espionage group, UNC3886, deployed custom backdoors on Juniper Networks’ Junos OS routers, utilizing various capabilities to maintain long-term access while circumventing security protections. Mandiant urges organizations to upgrade their Juniper devices to mitigate these vulnerabilities and recommends security measures.
Affected: Juniper Networks, defense organizations, technology organizations, telecommunication organizations
Affected: Juniper Networks, defense organizations, technology organizations, telecommunication organizations
Keypoints :
- Mandiant discovered backdoors on Juniper Networks’ Junos OS routers attributed to UNC3886.
- Backdoors utilized had custom capabilities, including disabling logging mechanisms.
- Mandiant recommends that organizations upgrade their Juniper routers to the latest software versions.
- Previous reports showed UNC3886’s focus on malware enabling persistent access to victim networks.
- Custom malware is designed to utilize legitimate credentials for lateral movement.
MITRE Techniques :
- T1059.001 – Command and Scripting Interpreter: PowerShell – Used to execute malicious commands on infected devices.
- T1068 – Exploitation for Client Execution – Leveraged zero-days to gain access to Junos OS.
- T1203 – Exploitation for Client Execution – Exploited vulnerabilities in Juniper devices.
- T1071.001 – Application Layer Protocol: Web Protocols – Communicated with C2 servers over web protocols.
- T1140 – Deobfuscate/Decode Files or Information – Used custom encoding to hide payloads.
- T1462 – Resource Hijacking – Leveraged routers’ resources for command and control.
Indicator of Compromise :
- [IP Address] 129.126.109.50
- [IP Address] 116.88.34.184
- [IP Address] 223.25.78.136
- [IP Address] 45.77.39.28
- [Filename] appid (MD5: 2c89a18944d3a895bd6432415546635e)
Full Story: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers/