Backdoor Infecting VPNs Used 'Magic Packets' For Stealth and Security (arstechnica.com) 13
An anonymous reader quotes a report from Ars Technica: When threat actors use backdoor malware to gain access to a network, they want to make sure all their hard work can't be leveraged by competing groups or detected by defenders. One countermeasure is to equip the backdoor with a passive agent that remains dormant until it receives what's known in the business as a "magic packet." On Thursday, researchers revealed that a never-before-seen backdoor that quietly took hold of dozens of enterprise VPNs running Juniper Network's Junos OS has been doing just that. J-Magic, the tracking name for the backdoor, goes one step further to prevent unauthorized access. After receiving a magic packet hidden in the normal flow of TCP traffic, it relays a challenge to the device that sent it. The challenge comes in the form of a string of text that's encrypted using the public portion of an RSA key. The initiating party must then respond with the corresponding plaintext, proving it has access to the secret key.
The lightweight backdoor is also notable because it resided only in memory, a trait that makes detection harder for defenders. The combination prompted researchers at Lumin Technology's Black Lotus Lab to sit up and take notice. "While this is not the first discovery of magic packet malware, there have only been a handful of campaigns in recent years," the researchers wrote. "The combination of targeting Junos OS routers that serve as a VPN gateway and deploying a passive listening in-memory only agent, makes this an interesting confluence of tradecraft worthy of further observation." The researchers found J-Magic on VirusTotal and determined that it had run inside the networks of 36 organizations. They still don't know how the backdoor got installed.
The lightweight backdoor is also notable because it resided only in memory, a trait that makes detection harder for defenders. The combination prompted researchers at Lumin Technology's Black Lotus Lab to sit up and take notice. "While this is not the first discovery of magic packet malware, there have only been a handful of campaigns in recent years," the researchers wrote. "The combination of targeting Junos OS routers that serve as a VPN gateway and deploying a passive listening in-memory only agent, makes this an interesting confluence of tradecraft worthy of further observation." The researchers found J-Magic on VirusTotal and determined that it had run inside the networks of 36 organizations. They still don't know how the backdoor got installed.
They still don't know how the backdoor got install (Score:4, Interesting)
> They still don't know how the backdoor got installed
This is kind of the kicker, and the bit of information we need to know. How clever it is really isn't much of a concern, other than to say this is obviously sophisticated - but I'd wonder how an attacker can craft the packets of a VPN as required here? Their means of utilisation is also something we'd like to know.
Re: (Score:2)
> They still don't know how the backdoor got installed
This is kind of the kicker, and the bit of information we need to know. How clever it is really isn't much of a concern, other than to say this is obviously sophisticated - but I'd wonder how an attacker can craft the packets of a VPN as required here? Their means of utilisation is also something we'd like to know.
I’m sure They would love to tell you, but perhaps They are still a bit pissed about Their own cyber toys being leaked?
(A planet has found itself eternal-ly grateful for previous leaks. By force. Think we can toss that tinfoil argument in the trash.)
Clarke's 3rd Law (Score:2)
"any sufficiently advanced technology is indistinguishable from magic"
Traitors with clearances (Score:2)
I bet the creators were none other than those who live around you with security clearances and get up everyday to go work against our interests.
Err, no? (Score:3)
that quietly took hold of dozens of enterprise VPNs running Juniper Network's Junos OS ...
They still don't know how the backdoor got installed.
Hate to be the one to have to say this, but the devices were not "taken hold of" by the magic packet in question... the entity who sent the magic packet already had control of the box.
FreeBSD for the L (Score:2)
Junos OS (also known as Juniper Junos, Jun/os and JUNOS) is a FreeBSD-based network operating system used in Juniper Networks routing, switching and security devices.
Would appear that Junos security falls well short of LInux. No surprise as there are only a tiny fraction of the developers working on it, auditing it, pentesting it. Hey guys, time to junk that leaky stuff and get with modern times.
Re: (Score:2)
*before you get sued for negligence...
Re: (Score:2)
Re: (Score:2)
Same comment applies to applications running on the OS. In short, proprietary = insecure.
Redundancy (Score:2)
I today's landscape you can do arp-level redundancy and reboot your edge hardware regularly to clear out memory.
High uptimes were once a badge of honor rather than foolishness.