- The best Linux distributions for beginners in 2025: Expert tested and reviewed
- Google Blocked 2.36 Million Policy-Violating Apps
- Cisco touts 'Internet of Agents' for secure AI agent collaboration
- CompTIA unveils AI Essentials training resource
- Strengthening the Cisco-Nutanix Partnership: Unlocking Innovation with Seamless Integration
Unknown threat actor targeting Juniper routers with backdoor: Report
“If you are affected or compromised, then this becomes such a challenge,” he added. “First, it’s re-imaging or, in some cases, hardware replacement, depending on the depth of the infection. Most of the time, deleting and replacing the firmware from scratch is enough, but Juniper may be of more assistance. Secondarily, there is a J-Door infection on your router how did it get there? If you are impacted, someone has executed scripts on your device,” he said.
“From what this write-up alludes to, it’s a theory from Lumen that seems to make sense. Someone typically can only execute scripts if you log in to your router or an unknown exploit exists,” he added. “I will assume that the more straightforward explanation that someone has logged in is the more likely assumption. Closing access to login prompts from the internet, rotating passwords, and enabling 2FA are all part of a standard practice. If you didn’t know you had this device in your network, look at an attack surface management tool.”
Ed Dubrovsky, chief operating officer at Cypfer, an incident response firm, noted so far this is “not a mass impact” event.
Still, he noted that threat actors are increasingly trying to compromise security devices because they are gaining power and control over access to digital assets.
“The majority of organizations are still dependent on vendor notifications or alerts, following standard processes such as change management to implement corrections and that results in a longer time to remediate,” he said. “A closer alignment between threat feeds and administration/operation function is advised.”
According to Lumen researchers, vulnerable routers are compromised by a variant of the open source cd00r backdoor, aimed at devices running UNIX, that has a passive agent looking for devices with five parameters. If the device has at least one of them, it sends back a “magic packet” to the attacker. The attacker then installs a reverse shell on the local file system so they can control the router, steal data, or deploy more malware.
