Juniper Routers Exploited by Custom Backdoor in J-magic Campaign
2025-01-24
Learn about the risks facing edge infrastructure and the opportunity to offer advanced security solutions for sectors like IT, energy, and manufacturing.
The J-magic campaign involves a custom backdoor exploiting a "magic packet" vulnerability in Juniper Networks routers running Junos OS. The malware, based on an old backdoor called cd00r, targets sectors like semiconductor, energy, manufacturing, and IT across multiple countries. The backdoor waits for specific packets to establish a reverse shell, allowing attackers to control devices, steal data, or deploy further payloads. The campaign highlights vulnerabilities in edge infrastructure, particularly routers lacking endpoint detection and response protections.
Malware, Shadow IT/Exposed Assets
Juniper Networks, magic packet, backdoor, J-magic campaign, Junos OS, cd00r, SEASPY, edge infrastructure
N/A
Juniper Networks routers, Junos OS, semiconductor industry, energy industry, manufacturing industry, information technology sector, Barracuda Email Security Gateway appliances
A campaign known as J-magic has emerged, targeting enterprise-grade Juniper Networks routers through a custom backdoor that exploits a "magic packet" vulnerability. This campaign is significant as it specifically targets Junos OS, a variant of FreeBSD used by these routers. The backdoor continuously monitors TCP traffic for a "magic packet" sent by the attacker. Once the packet is detected, the malware initiates a reverse shell, granting the attacker control over the device. This allows the attacker to steal data or deploy additional malicious payloads. The attack has primarily targeted the semiconductor, energy, manufacturing, and IT sectors. Affected regions include Europe, Asia, and South America, with specific reports from countries such as Argentina, Armenia, Brazil, Chile, Colombia, Indonesia, the Netherlands, Norway, Peru, the U.K., the U.S., and Venezuela. The backdoor used in this campaign is a variant of the cd00r backdoor, which has been publicly available for nearly 25 years. The malware requires five pre-defined parameters to activate. After receiving the magic packet, it sends a secondary challenge to establish a reverse shell to the specified IP address and port. A similar variant of the cd00r backdoor, known as SEASPY, was previously used in a campaign targeting Barracuda Email Security Gateway appliances in late 2022. This suggests a potential link or evolution in the attack methods targeting network infrastructure. The campaign has mainly impacted Juniper routers acting as VPN gateways, with a smaller cluster of devices exposing the NETCONF port. These devices are attractive targets due to their role in automating router configuration and management. This campaign highlights the vulnerabilities in edge infrastructure devices, such as routers, which often lack endpoint detection and response (EDR) protections. These devices' long uptime makes them particularly susceptible to nation-state actors preparing for further attacks.Custom Backdoor Targeting Juniper Routers
How the Attack Works
Affected Industries and Regions
Technical Details
Connection to Previous Campaigns
Targeted Network Configurations
Implications for Security
https://thehackernews.com/2025/01/custom-backdoor-exploiting-magic-packet.html?m=1