Threat actor UNC3886 has been observed targeting end-of-life (EOL) MX routers from Juniper Networks as part of a sophisticated campaign designed to deploy custom backdoors. This group has demonstrated a particular focus on internal networking infrastructure, which allows them to maintain persistence, evade detection, and exfiltrate sensitive data over extended periods. Continue reading this Cybersecurity Threat Advisory to learn how to prevent this attack.
What is the threat?
UNC3886 is exploiting EOL Juniper Networks MX routers to install custom backdoors. These devices no longer receive security updates, leaving them vulnerable. The lack of security monitoring on network perimeter devices lets attackers operate without detection.
Why is it noteworthy?
UNC3886 uses a modified version of the open-source TinyShell backdoor to access Juniper MX routers. The backdoors allow remote control, data theft, and movement within the network. Attackers design these backdoors specifically for the Junos OS, making them hard to detect.The attackers use legitimate tools and protocols to blend in with normal network traffic, avoiding detection. They bypass Junos OS’s security features by injecting malicious code into trusted processes. The attackers communicate through encrypted channels, making it harder to spot their activities.
What is the exposure or risk?
Organizations using EOL devices are at high risk, as these routers no longer receive security patches. UNC3886 can stay in the network for long periods, stealing sensitive data like trade secrets and government information. Attackers can use compromised routers to launch further attacks on other systems. Custom backdoors and the use of legitimate tools make it difficult for traditional security measures to detect the attacks.
What are the recommendations?
Barracuda recommends the following actions to prevent this attack from happening within your network:
- Immediately replace any end-of-life Juniper MX routers with supported devices that receive regular security updates.
- Deploy network monitoring tools to detect unusual traffic patterns or connections to known malicious IPs.
Reference
For more in-depth information about the recommendations, please visit the following links:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
