Juniper Networks has warned prospects of Mirai malware assaults concentrating on and infecting Session Good routers utilizing default credentials.
Because the networking infrastructure firm defined, the malware scans for gadgets with default login credentials and executes instructions remotely after gaining entry, enabling a variety of malicious actions.
The marketing campaign was first noticed on December 11, when the primary contaminated routers had been discovered on prospects’ networks. Later, the operators of this Mirai-based botnet used the compromised gadgets to launch distributed denial-of-service (DDoS) assaults.
“On Wednesday, December 11, 2024, several customers reported suspicious behavior on their Session Smart Network (SSN) platforms,” says a safety advisory revealed this Tuesday.
“Any customer not following recommended best practices and still using default passwords can be considered compromised as the default SSR passwords have been added to the virus database.”
Juniper additionally shared indicators of compromise admins ought to search for on their networks and gadgets to detect potential Mirai malware exercise, together with:
- scans for gadgets on frequent Layer 4 ports (e.g., 23, 2323, 80, 8080),
- failed login makes an attempt on SSH companies indicative of brute-force assaults,
- sudden spike in outbound site visitors quantity hinting at gadgets being co-opted in DDoS assaults,
- gadgets rebooting or behaving erratically, suggesting they have been compromised,
- SSH connections from identified malicious IP addresses.
The corporate suggested prospects to instantly guarantee their gadgets comply with advisable username and password insurance policies, together with altering the default credentials on all Session Good routers and utilizing distinctive and powerful passwords throughout all gadgets.
Admins are additionally advisable to maintain firmware up to date, evaluate entry logs for anomalies, set alerts robotically triggered when suspicious exercise is detected, deploy intrusion detection programs to watch community exercise, and use firewalls to dam unauthorized entry to Web-exposed gadgets.
Juniper additionally warned that routers already contaminated in these assaults have to be reimaged earlier than being introduced again on-line.
“If a system is found to be infected, the only certain way of stopping the threat is by reimaging the system as it cannot be determined exactly what might have been changed or obtained from the device,” Juniper mentioned.
Final 12 months, in August, the ShadowServer risk monitoring service warned of ongoing assaults concentrating on a crucial distant code execution exploit chain impacting Juniper EX switches and SRX firewalls utilizing a watchTowr Labs proof-of-concept (PoC) exploit.
Since then, Juniper additionally warned of a crucial RCE bug in its firewalls and switches in January and launched an out-of-cycle patch for a maximum-severity authentication bypass flaw in its Session Good Router (SSR), Session Good Conductor, and WAN Assurance Router merchandise.
