Juniper Networks has warned clients of Mirai malware assaults scanning the Web for Session Sensible routers utilizing default credentials.
Because the networking infrastructure firm defined, the malware scans for units with default login credentials and executes instructions remotely after gaining entry, enabling a variety of malicious actions.
The marketing campaign was first noticed on December 11, when the primary contaminated routers have been discovered on clients’ networks. Later, the operators of this Mirai-based botnet used the compromised units to launch distributed denial-of-service (DDoS) assaults.
“On Wednesday, December 11, 2024, several customers reported suspicious behavior on their Session Smart Network (SSN) platforms,” says a safety advisory revealed this Tuesday.
“Any customer not following recommended best practices and still using default passwords can be considered compromised as the default SSR passwords have been added to the virus database.”
Juniper additionally shared indicators of compromise admins ought to search for on their networks and units to detect potential Mirai malware exercise, together with:
- scans for units on widespread Layer 4 ports (e.g., 23, 2323, 80, 8080),
- failed login makes an attempt on SSH companies indicative of brute-force assaults,
- sudden spike in outbound visitors quantity hinting at units being co-opted in DDoS assaults,
- units rebooting or behaving erratically, suggesting they have been compromised,
- SSH connections from recognized malicious IP addresses.
The corporate suggested clients to instantly guarantee their units comply with advisable username and password insurance policies, together with altering the default credentials on all Session Sensible routers and utilizing distinctive and robust passwords throughout all units.
Admins are additionally advisable to maintain firmware up to date, evaluate entry logs for anomalies, set alerts routinely triggered when suspicious exercise is detected, deploy intrusion detection techniques to watch community exercise, and use firewalls to dam unauthorized entry to Web-exposed units.
Juniper additionally warned that routers already contaminated in these assaults should be reimaged earlier than being introduced again on-line.
“If a system is found to be infected, the only certain way of stopping the threat is by reimaging the system as it cannot be determined exactly what might have been changed or obtained from the device,” Juniper mentioned.
Final yr, in August, the ShadowServer risk monitoring service warned of ongoing assaults concentrating on a important distant code execution exploit chain impacting Juniper EX switches and SRX firewalls utilizing a watchTowr Labs proof-of-concept (PoC) exploit.
Since then, Juniper additionally warned of a important RCE bug in its firewalls and switches in January and launched an out-of-cycle patch for a maximum-severity authentication bypass flaw in its Session Sensible Router (SSR), Session Sensible Conductor, and WAN Assurance Router merchandise.
Replace December 20, 03:17 EST: Revised article and title to explain the assaults as scanning exercise.
