Hackers in the wild attempt to exploit the Juniper Backdoor

A honeypot set up by researchers at the SANS institute has shown that hackers  have already attempted to exploit the Juniper backdoor.

Shortly after Juniper posted the advisory related to the presence of unauthorized code in the OS of some of its Firewalls, HD Moore, the developer of the Rapid7′ Metasploit Framework, revealed that approximately 26,000 Netscreen devices are connected to the Internet with SSH open.

“Shortly after Juniper posted the advisory, an employee of Fox-IT stated that they were able to identify the backdoor password in six hours. A quick Shodan search identified approximately 26,000 internet-facing Netscreen devices with SSH open. Given the severity of this issue, we decided to investigate.” he wrote in a blog post.

Ronald Prins, founder and CTO of the Fox-IT security firm, explained that by reverse engineering the patch released by Juniper its experts were able to discover the master password backdoor (“<<< %s(un=’%s’) = %u,“).

“Once you know there is a backdoor there, … the patch [Juniper released] gives away where to look for [the backdoor] … which you can use to log into every [Juniper] device using the Screen OS software,” he told WIRED. “We are now capable of logging into all vulnerable firewalls in the same way as the actors [who installed the backdoor].”  explained Prins.

The security firms Fox-IT has also released the Snort rules that can be used by the sys admins to detect unauthorized access to the Juniper devices through the backdoor.

News of the day is that a honeypot set up by researchers at the SANS Technology Institute’s Internet Storm Center (ISC)  has identified attacks attempting to exploit the recently disclosed vulnerability in the Juniper firewalls. Let’s remind that the exploitation of the flaw could allow attackers to gain administrative access to the network devices.

“Since our initial announcement we’ve learned that the number of versions of ScreenO affected by each of the issues is more limited than originally believed. Administrative Access (CVE-2015-7755) only affects ScreenOS 6.3.0r17 through 6.3.0r20. VPN Decryption (CVE-2015-7756) only affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20,” reported Juniper shared inviting administrators to apply the security updates as soon as possible.

The two vulnerabilities can be respectively exploited to remotely gain administrative access to a device via telnet or SSH (CVE-2015-7755) and to decrypt VPN traffic (CVE-2015-7756).

Researchers at the SANS Technology Institute have deployed a honeypot that emulates the Juniper devices running the ScreenOS, attracting threat actors in the wild. The researchers revealed that at the Technology Institute revealed that hackers have been using the backdoor password recently disclosed in an attempt to access the honeypot via SSH.

“Our honeypot doesn’t emulate ScreenOS beyond the login banner, so we do not know what the attackers are up to, but some of the attacks appear to be ‘manual’ in that we do see the attacker trying different commands,” said Johannes Ullrich from the SANS Technology Institute.

The experts observed tens of exploit attempts, most of which used the usernames “root” and “admin.” Below the complete list of username used by hackers:

+---------------+----------+
| username      | count(*) |
+---------------+----------+
| root          |       29 |
| admin         |       18 |
| netscreen     |        8 |
| login         |        8 |
| administrator |        5 |
| test          |        4 |
| system        |        2 |
| bob           |        1 |
| sdes          |        1 |
| sqzeds        |        1 |
| sqzds         |        1 |
+---------------+----------+

The researchers also collected the source IP addresses used by attackers, in one case the IP 83.82.244.85 was involved in the 24 attacks.

Altogether 78 attacks were observed in about 5 hours, one of the IPs belongs to security firm Qualys,  presumably the attacks from this source are the result of research activities.

+-----------------+----------+
| ip              | count(*) |
+-----------------+----------+
| 83.82.244.85    |       24 |
| 84.104.21.148   |        8 |
| 176.10.99.201   |        7 |
| 88.169.13.26    |        7 |
| 76.18.66.48     |        5 |
| 64.39.109.5     |        4 |<- Qualys (probably "research")
| 198.50.145.72   |        4 |
| 2.239.22.90     |        4 |
| 86.195.19.248   |        4 |
| 80.123.56.190   |        3 |
| 64.39.108.99    |        2 |
| 79.120.10.98    |        2 |
| 62.42.12.8      |        1 |
| 192.99.168.52   |        1 |
| 94.210.22.151   |        1 |
| 174.114.144.109 |        1 |
+-----------------+----------+

After the disclosure of the presence of the unauthorized code in the Juniper network appliances, the networking giant Cisco decided to assess its products for the presence of malicious codes.

“Although our normal practices should detect unauthorized software, we recognize that no process can eliminate all risk,” Cisco’s Anthony Grieco said. “Our additional review includes penetration testing and code reviews by engineers with deep networking and cryptography experience.”

Pierluigi Paganini

(Security Affairs –Juniper network devices, backdoor)