Custom Backdoors Discovered on Juniper Routers Activated by Magic Packets

Tue 28th Jan, 2025

Recent investigations by cybersecurity experts have revealed the existence of backdoors on Juniper routers, which are activated by specific signals known as Magic Packets. This discovery raises significant concerns regarding the security of these widely used networking devices.

The analysis conducted by a team from Lumen's Black-Lotus group has identified a campaign dubbed 'J-magic' that distributes these malicious backdoors. Initial samples of this backdoor were detected in September 2023 within the malware database of VirusTotal. However, the researchers were unable to trace the initial intrusion vector used by the attackers to compromise the routers.

The J-magic backdoor is based on a variant of an open-source tool known as cd00r, which was originally released as a proof-of-concept on Packetstorm in the year 2000. Once the attackers breached the routers, they installed this backdoor, which remains dormant until it detects one of five predefined parameters or receives a Magic Packet.

Upon recognition of a Magic Packet, the backdoor sends back a second challenge. If this challenge is successfully met, J-magic opens a reverse shell on the router's local file system, granting attackers full control over the compromised device. This access allows for the theft of sensitive data and the distribution of additional malicious software.

Experts believe that Juniper's enterprise routers are particularly vulnerable targets, primarily because they often lack host-based monitoring tools. These devices typically experience infrequent reboots, leading to extended periods of uptime that are advantageous for attackers. The malware is designed to function entirely in memory, making it difficult to detect compared to malware that embeds itself within the device's firmware.

The routers, often deployed at the network edge or serving as VPN gateways, represent promising targets for attackers, as their position allows access to broader networks within organizations. The campaign has been active since approximately mid-2023 and is believed to have continued into at least mid-2024. There are noted similarities between this campaign and the earlier 'Seaspy' backdoor, which targeted Barracuda Email Security Appliances in 2023, as both were based on the cd00r framework. However, the researchers lack sufficient data to definitively link the two campaigns.

For those interested in more detailed technical information regarding the backdoor, further insights can be found in Lumen's comprehensive analysis.

In response to security concerns, Juniper Networks addressed over 30 vulnerabilities in their device software last October, including critical flaws in the Junos OS router operating system. Some of these vulnerabilities could have potentially been exploited by attackers to establish the backdoors in question.


More Quick Read Articles »
Engineering Jobs