The Chinese cyber group UNC3886 has infiltrated legacy MX routers from Juniper Networks by leveraging stealthy backdoors. According to Mandiant, the attackers deploy both active and passive backdoors, disable logging mechanisms, and maintain persistent access within victims’ networks.
UNC3886 has been active since 2022, primarily targeting network infrastructure and virtualization technologies, with a particular focus on defense, technology, and telecommunications firms across the United States and Asia. Perimeter network devices typically lack robust monitoring, allowing hackers to operate undetected.
The latest wave of attacks utilizes TinyShell-based backdoors, enabling threat actors to upload and download files, intercept network traffic, inject themselves into Junos OS processes, and execute arbitrary commands. The hackers circumvent Junos OS Verified Exec protections by exploiting stolen credentials to insert malicious code into system processes.
The primary objective of these attacks is to disable logging before the operator connects and restore it once their activities are complete. In addition to backdoors, UNC3886 employs the Reptile and Medusa rootkits, as well as specialized tools like PITHOOK (for stealing SSH credentials) and GHOSTTOWN (for erasing attack traces).
Security experts recommend upgrading Juniper MX devices to the latest firmware versions and utilizing the Juniper Malware Removal Tool (JMRT). Enhancing network activity monitoring and deploying anomaly detection solutions are also crucial for mitigating similar threats in the future.
