In a recent cyber attack campaign dubbed “J-magic,” dozens of organizations fell victim to router malware that used a packet-sniffing technique to go undetected. Unlike the more popular Cisco routers, the targets of this campaign were Juniper-brand routers located at the edge of high-value networks. The malware, named “cd00r,” is a variant of a backdoor that has been around for over 25 years. It remains dormant until it receives an activation phrase, also known as a “magic packet,” which then allows attackers to gain access to a reverse shell. From there, they can steal data, manipulate configurations, and infect more devices within the network.
According to Danny Adamitis, a principal information security engineer with Black Lotus Labs, there has been a focus on small office/home office devices, but attackers are equally active in the enterprise space. The lack of endpoint detection and response (EDR) on these devices, combined with their positioning in front of firewalls and absence of tools like Sysmon, makes it challenging to detect such attacks.
The hackers targeted Juniper routers configured as virtual private network (VPN) gateways and those with exposed Network Configuration Protocol (NETCONF) ports. These vulnerabilities allowed the attackers to gain access to the routers, which served as entry points into larger networks. By installing the cd00r malware on these devices, the attackers could monitor incoming TCP traffic and activate the malware with specific packets, establishing a reverse shell connection to their IP address.
One of the reasons this malware is difficult to detect is that it circumvents traditional methods of identifying edge malware. Unlike typical infections that emit consistent signals, cd00r remains hidden until triggered, making it challenging for defenders to spot abnormal behavior.
After receiving the magic packet and establishing a reverse shell connection, the attackers must pass a challenge to confirm their identity. This additional layer of security ensures that only the intended attacker gains control over the infected device, enabling them to steal data, deploy further malware, and maintain control.
The J-magic infections were first detected in September 2023, with a surge in cases in the spring and summer of 2024. The malware spread to various countries, affecting organizations in different sectors such as construction, bioengineering, insurance, and IT services.
Despite being a 25-year-old program, cd00r remains effective in evading detection and carrying out malicious activities in edge networks. The lack of security measures on edge devices, compared to end-user workstations, creates a blind spot for attackers to exploit, using outdated malware to their advantage.
Adamitis emphasizes the need for increased visibility and security measures on enterprise-grade routers to prevent such attacks in the future. By addressing these vulnerabilities and enhancing detection capabilities on edge devices, organizations can better protect themselves against evolving cyber threats.