Juniper Networks is warning that Session Good Router (SSR) merchandise with default passwords are being focused as a part of a malicious marketing campaign that deploys the Mirai botnet malware.
The corporate mentioned it is issuing the advisory after “several customers” reported anomalous conduct on their Session Good Community (SSN) platforms on December 11, 2024.
“These systems have been infected with the Mirai malware and were subsequently used as a DDOS attack source to other devices accessible by their network,” it mentioned. “The impacted systems were all using default passwords.”
Mirai, which has had its supply code leaked in 2016, has spawned a number of variants over time. The malware is able to scanning for recognized vulnerabilities in addition to default credentials to infiltrate gadgets and enlist them right into a botnet for mounting distributed denial-of-service (DDoS) assaults.
To mitigate such threats, organizations are beneficial to alter their passwords with fast impact to robust, distinctive ones (if not already), periodically audit entry logs for indicators of suspicious exercise, use firewalls to dam unauthorized entry, and preserve software program up-to-date.
A number of the indicators related to Mirai assaults embrace uncommon port scanning, frequent SSH login makes an attempt indicating brute-force assaults, elevated outbound site visitors quantity to surprising IP addresses, random reboots, and connections from recognized malicious IP addresses.
“If a system is found to be infected, the only certain way of stopping the threat is by reimaging the system as it cannot be determined exactly what might have been changed or obtained from the device,” the corporate mentioned.
The event comes because the AhnLab Safety Intelligence Middle (ASEC) revealed that poorly managed Linux servers, notably publicly uncovered SSH providers, are being focused by a beforehand undocumented DDoS malware household dubbed cShell.
“cShell is developed in the Go language and is characterized by exploiting Linux tools called screen and hping3 to perform DDoS attacks,” ASEC mentioned.
