- Mandiant researchers saw a new piracy campaign aimed at Juniper Networks rings
- They attributed it to a Chinese actor, aimed at telecommunications, defense and technology companies
- Users are urged to update and scan their devices
Chinese computer pirates are attacked to Juniper Networks routors with different modifications of rear door malware, in an attempt to access defense, technology and telecommunications organizations in the US. UU. And Asia.
The Google cybersecurity team, Mandiant, wrote an in -depth analysis in the group today. According to the report, the researchers first saw the malicious activity in mid-2024 and attributed it to the China-Nexus UNC3886 espionage group.
Techradar Pro has informed about this threat actor on numerous occasions in the past, when it was observed that he went to VMware, VPN Ivanti and other products, with rear doors and malware.
Six malware samples
Mandiant says that the attackers infiltrated the devices with OS Junos motor when Veriexec, (verified EXEC), the file integrity subsystem based on the nucleus of the device that protects the operating system from unauthorized code binaries, such as libraries and scripts.
“The execution of the unreliable code is still possible if it occurs within the context of a reliable process,” the researchers explained. “Mandiant’s investigation revealed that UNC3886 was able to avoid this protection injecting malicious code in the memory of a legitimate process.”
UNC3886 went to its victims with six different malware samples, all of which are a variant of the Tinyshell rear door with unique abilities. While everyone has the same central rear door functionality, they differ in terms of activation methods and different specific characteristics of the operating system.
Mandiant says that the attackers “continue to show a deep understanding of the underlying technology” of the appliances that are directed, and recommended that users update their juniper devices to the latest images. These include mitigations and firms updated for the malware elimination tool Juniper (JMRT), which must be activated after the update to scan the integrity of the final points.
“At the time of writing, Mandiant has not identified any technical overlap between detailed activities in this blog post and those publicly informed by other parts such as Typhon Volt or Salt Typhoon,” Mandiant added, suggesting that Salt Typhoon, Volt Typhoon and UNC3886, are different entities (but possibly work under the same tumbo).
