Juniper Networks has issued a warning with regard to an existing evil campaign targeting Session Smart Router (SSR) appliances that are using their original passwords. This malware utilizes the Mirai botnet, which forces these exposed devices into its network and initiates DDoS-distributed denial-of-service attacks in the process.
The advisory follows reports from several customers who noted unusual behavior on their Session Smart Network (SSN) platforms as of December 11, 2024. Investigations revealed that systems with default passwords had been compromised by Mirai malware and subsequently exploited to launch DDoS attacks against other network-accessible devices.
Mirai, famous for the 2016 source code leak, has mutated into numerous versions that can search for known vulnerabilities and default credentials to hack devices. Once infected, these devices become a part of a botnet controlled to conduct massive DDoS attacks.
To avoid such dangers, Juniper Networks suggests the following best practices:
- Change Default Passwords: Update any default password to something strong and different.
- Audit Access Logs: Regularly review access logs for any signs of suspicious activity.
- Implement Firewalls: Utilize firewalls to block unauthorized access attempts.
- Maintain Software Updates: Ensure all software is kept up-to-date to mitigate vulnerabilities.
Indicators of a Mirai infection may include unusual port scanning activities, frequent SSH login attempts suggestive of brute-force attacks, increased outbound traffic to unexpected IP addresses, random system reboots, and connections from known malicious IP addresses.
Where the infection has been confirmed, Juniper recommends that the only proven way to ensure removal is to reimage the system. This is due to difficulty in determining what specifically changed or what data exfiltration may have occurred.
This development coincides with findings from the AhnLab Security Intelligence Center (ASEC), which reports that poorly managed Linux servers, especially those with publicly exposed SSH services, are being targeted by a new DDoS malware family named cShell. Written in Go, cShell exploits Linux tools like ‘screen’ and ‘hping3’ to conduct DDoS attacks.
For organizations utilizing Juniper SSR devices, password change, thorough security auditing, and robust network defense methods become immediate imperatives to prevent compromises by botnets like Mirai.
