Insights on the Recent Juniper Router Attacks

Sophisticated Threat Actors Targeting Network Infrastructure: UNC3886 and the Juniper Router Attacks

Advanced threat actors are increasingly targeting network infrastructure devices, particularly routers, due to their critical role in enterprise and ISP networks. These devices serve as the backbone of modern organizations, making them prime targets for espionage and cyberattacks.

Recently, Chinese APT group UNC3886 has been identified targeting Juniper routers, as reported by both Google and Juniper Networks. Google dubbed the campaign “Ghost in the Router” (Read their full report here), while Juniper labeled the incident “Red Penguin Malware” (See Juniper’s analysis here).

Both reports provide in-depth technical details on how the malware operates. However, this article offers a high-level, easy-to-read overview of:

Why and how these network infrastructure devices are being targeted
Common exploit trends observed in these attacks
Mitigation & detection strategies beyond the standard "patch your devices" advice, though, of course, regular patching remains essential

Why and how network infrastructure devices are being targeted

To grasp how these router compromises work, it’s essential to understand several key concepts:

Control Plane vs. Data Plane
Routing Engine (RE)
JUNOS Kernel and FreeBSD (the underlying OS of Juniper routers)

Control Plane vs. Data Plane

Routers handle two distinct types of network traffic:

Data Plane – Responsible for forwarding actual data packets across the network.
Control Plane – Manages routing decisions, network configuration, and system operations.

Juniper’s Routing Engine (RE)

Juniper routers use a dedicated Routing Engine (RE) to handle control plane functions. The diagram below illustrates various Juniper MX router models involved in this compromise, with a detailed breakdown of an RE from one of the smaller MX routers.

Many MX routers also support redundant REs, ensuring failover capabilities. The REs are housed separately from the high-speed data-plane line cards, making them easy to identify.

The Role of JUNOS Kernel & FreeBSD

The Juniper Operating System (JUNOS), which runs the router's core functions, operates on top of FreeBSD, a Unix-like operating system known for its security and stability. This connection is why FreeBSD is often described as "the software you use every day but have never heard of."

Another critical concept in router security is the stripped-down kernel that powers the device. Unlike general-purpose operating systems, the Kernel OS is highly optimized, disabling unnecessary services while running only the essential processes required for router operations. Because of this optimization, the attack surface is significantly smaller than that of a full-fledged server. However, this also means that Endpoint Detection and Response (EDR) solutions, which provide behavioral monitoring and advanced threat detection, are typically not present on routers. As a result, routers lack many built-in protections that modern endpoint systems rely on.

One of the primary security controls available on these systems is Veriexec. This feature helps protect the kernel from unauthorized software installation by maintaining a fingerprint database of all immutable files. When enforced, the kernel verifies file integrity, ensuring that only executables with a verified fingerprint can run.

When an administrator accesses Juniper's JUNOS application, they can also enter the underlying kernel shell using the start shell command. The command allows them to specify a shell type, such as:

user@host> start shell csh 
%

Since the kernel shell does not enforce input verification, users can execute arbitrary scripts, as they are treated the same as interactive commands. Authentication and permissions control access, but once inside, unrestricted command execution is possible.

In this attack, threat actors leveraged a local privilege escalation vulnerability (CVE-2025-21590) to inject arbitrary code. The CVSS:3.1 and 4.0 vector strings for this CVE both indicate AV:L, signifying an "Attack Vector: Local", meaning that an attacker must already have some level of access to exploit the flaw.

Common Exploit Trends Observed in These Attacks

Unauthorized Access Remains a Major Attack Vector

Poor access controls continue to be a key weakness exploited in these attacks. Threat actors often compromise an end-user system, gaining an easy path to network devices or jump hosts. These network devices frequently suffer from:

Weak authentication mechanisms, often relying on single-factor authentication.
Poor password management, with weak credentials, long-term password reuse, and limited enforcement of local password restrictions.
Lack of monitoring, making it difficult to detect unauthorized access.
Vulnerable identity providers, as many organizations use local TACACS+ or RADIUS authentication servers, which are often poorly patched due to the mistaken belief that their lack of internet access makes them secure.

Threat Actors Rapidly Erase Logs to Cover Their Tracks

Sophisticated attackers ensure minimal evidence is left behind by quickly clearing logs. One example is their use of the sed command to erase authentication records:

sed -i '' '/root/d' /var/log/auth

-i '' - Edits the file in place without creating a backup.
/root/d - Deletes all lines containing the word "root".
Target File - /var/log/auth, which stores authentication logs.

For example, these logs:

March 14 01:30:00 server sshd[1234]: Accepted password for root from 192.168.1.100
March 14 01:31:00 server sshd[1235]: Accepted password for user1 from 192.168.1.101
March 14 01:32:00 server sshd[1236]: Failed password for root from 192.168.1.100

Would be transformed into:

March 14 01:31:00 server sshd[1235]: Accepted password for user1 from 192.168.1.101

Additional log files targeted by the Threat Actor for manipulation:

sed -i '' '/root/d' /var/log/interactive-commands
sed -i '' -e '/vi/d' -e '/set/d' -e '/gdb/d' -e '/mgd/d' /root/.history
sed -i '' '/root/d' /var/log/messages
sed -i '' '/root/d' /var/log/auth

By tampering with logs, attackers erase traces of their activities, making forensic investigation more challenging.

Attackers Utilize Berkeley Packet Filters (BPF) for Passive Listening

Threat actors leverage Berkeley Packet Filters (BPF) to create stealthy packet-sniffing backdoors. BPF allows malware running on the router to monitor traffic and trigger actions based on incoming network packets. In one observed case, the attacker used the following BPF filter:

icmp[4:2] == 0xaa56

This targets ICMP Echo Request (ping) packets.
It extracts 16 bytes of data, decrypting them with a single-byte XOR key (0x86).
The decrypted data is compared to a "magic string" (uSarguuS62bKRA0J).

Once detected, the malware can execute commands or open a backdoor, allowing attackers to maintain persistence and evade traditional detection methods.

Threat Actors Use Operational Relay Box (ORB) Networks for Remote Access

Attackers rely on Operational Relay Box (ORB) networks to obfuscate their true location. ORBs consist of:

Compromised IoT devices or temporary virtual servers positioned near the target’s geographic region which serve as Exit/Staging Nodes, which relay traffic to victim networks, helping attackers blend in with legitimate local traffic.
Traversal Nodes and Relay Nodes, used to communicate covertly with the Exit/Staging Nodes and the adversary’s Operations Server (ACOS).

This setup makes it difficult to block malicious activity based on geolocation or known malicious IP addresses. Since these ORB nodes operate within the victim’s expected traffic region, they help adversaries evade detection. For a visual representation, Team Cymru’s article, "An Introduction to Operational Relay Box (ORB) Networks - Unpatched, Forgotten, and Obscured," provides a comprehensive breakdown of ORB operations.

Mitigation & detection strategies beyond the standard "patch your devices"

Controlling and monitoring access to router management interfaces is the most critical mitigation against these types of attacks. The UNC3866 threat actor is notorious for targeting network infrastructure, previously exploiting vulnerabilities in VMware (CVE-2022-22948, CVE-2023-20867) and Fortinet (CVE-2022-41328) while also abusing SSH access and deploying custom malware.

While patching remains crucial, these devices were compromised before the known exploits were leveraged, and patches for this exploit weren’t even available at the time of the attack. This highlights the importance of strict access controls rather than relying solely on patching.

To prevent unauthorized access:

Isolate the router control plane network from general traffic by placing its control plane on a dedicated management network.
Restrict access to this network via highly monitored jump servers that require multi-factor authentication (MFA).
Monitor internal traffic using Network Detection & Response (NDR) solutions like Zeek, with a focus on SSH traffic.
Log and analyze SSH access to detect anomalies and provide valuable forensic data in case of compromise.

The Importance of SSH Monitoring

Once attackers gain access, they attempt to erase logs to cover their tracks. Tampering with logs is a guarantee, making it essential to have independent telemetry sources like NDR metadata to reconstruct events. SSH session monitoring can provide invaluable insight into adversary behavior, even when local logs are wiped. In the event of a compromise, SSH NDR telemetry can be the only reliable source of truth for forensic analysis. Without it, investigators are left guessing when access occurred, what actions were taken, and how deep the intrusion went, especially if logs have been wiped.

Here are some critical NDR monitoring points and detections specifically focused on securing network device management access:

Access from Non-Control Plane Systems - A threat actor attempting to access the VMware environment from an unauthorized system.
Lateral Movement to Control Plane Systems - A threat actor attempting to pivot to a control plane system.
Unauthorized Access via Control Plane Systems - A threat actor using a control plane system that is not an authorized jump host to access the VMware environment.

Some NDR systems also support statistical analysis of data to determine inferences of activity. Some SSH inferences from NDR analysis can include:

Detecting SSH Scanning

Identifies internal or external hosts attempting to discover and access SSH enabled devices like routers.
Detects clients initiating SSH handshakes but disconnecting before authentication, a common reconnaissance tactic.

Identifying Port Forwarding & File Transfers

Flags SSH tunneling used to bypass security controls.
Detects file uploads/downloads between a client and server, which may indicate data exfiltration.

Identifying Interactive SSH Sessions & Keystroke Activity

Flags adversary-controlled sessions based on keystroke activity.
Analyzes command execution patterns, detecting anomalies such as:
- Frequent command execution (indicative of scripted actions).
- Long-duration sessions with minimal commands (suggesting persistence).
Allows whitelisting of legitimate administrators while flagging suspicious user behavior.

Detecting SSH Brute Force & Unauthorized Access Attempts

Identifies multiple failed login attempts from a single client, indicating brute-force activity.
Detects repeated authentication failures followed by a successful login, suggesting an attacker eventually found valid credentials.