- Scientists from Mandiant saw a new hacking campaign that was targeting Juniper Networks -Roumers
- They attributed it to a Chinese actor, targeted at Telcos, Defense and Tech Company
- Users are encouraged to upgrade and scan their devices
Chinese hackers are targeting Juniper Networks routers with various changes to a back door malware in an attempt to access defense, technology and telecommunications organizations in the US and Asia.
Google’s CyberSecurity team Mandiant wrote an in-depth analysis of the group earlier today. According to the report, the researchers first discovered malicious activity in mid-2024 and attributed to the China-Nexus espionage group UNC3886.
Techradar Pro has reported on this threat actor in several occasions in the past when they were observed targeted at VMware, Ivanti VPN and other products with back doors and malware.
Six Malware tests
Mandiant says attackers infiltrated Juno’s OS-driven devices by bypassing Veriexec, (verified EXEC), the device’s core-based fil integrity subsystem that protects us from unauthorized codebinars such as libraries and manuscripts.
“Performing non -trusted code is still possible if it occurs within the framework of a trusted process,” the researchers explained. “Mandiant’s study revealed that UNC3886 was able to bypass this protection by injecting malicious code into the memory of a legitimate process.”
UNC3886 targeted his victims with six different malware samples, all of which are a variant of the small back door with unique capabilities. While everyone has the same core back door functionality, they differ in terms of activation methods and different OS-specific features.
Mandiant says attackers “continue to show a deep understanding of the underlying technology” of the appliances targeted, and recommended users upgrading their Einer devices to the latest images. These include midings and updated signatures for the EINE Malware Removal Tool (JMRT), which must be activated after the upgrade to scan the integrity of the end points.
“At the time of writing, Mandiant has not identified any technical overlaps between activities described in this blog post, and those publicly reported by other parties such as Volt Typhoon or Salt Typhoon,” added Mandiant, suggesting that salt Typhoon, Volt Typhoon and UNC3886 are different units (but possibly worked under the same Umbrella).
