Analysis Summary

Juniper Networks is alerting users to a malicious campaign that uses the Mirai botnet malware to target Session Smart Router (SSR) devices with default passwords. On December 11, 2024, some clients observed unusual activity on their Session Smart Network (SSN) platforms, prompting the business to issue the advisory.

The advisory reads, “These systems have been infected with the Mirai malware and were subsequently used as a DDoS attack source to other devices accessible by their network. The impacted systems were all using default passwords.”

Since its source code was disclosed in 2016, Mirai has given rise to several variations. The malware is capable of scanning for known vulnerabilities as well as default passwords to infect devices and recruit them into a botnet for mounting distributed denial-of-service (DDoS) assaults. It is advised that enterprises utilize firewalls to prevent unwanted access, update software, routinely audit access logs for indications of unusual behavior, and change passwords immediately to strong, one-of-a-kind ones (if they haven't previously).

Unusual port scanning, a high volume of outgoing traffic to unknown IP addresses, many SSH login attempts that suggest brute-force attacks, sudden reboots, and connections from known malicious IP addresses are some of the signs linked to Mirai attacks. Since it is impossible to pinpoint exactly what might have been altered or taken from the device, reimaging the system is the only surefire method of halting the threat if it is discovered to be compromised.

This comes after researchers disclosed that a DDoS malware family known as cShell, which was previously unknown, is targeting poorly maintained Linux servers, especially those with publicly accessible SSH services. The Go programming language was used to create cShell, which is distinguished by its ability to launch DDoS assaults by taking advantage of Linux utilities called screen and hping3.

Impact

• Denial of Service
• Unauthorized Access
• Website Downtime
• Operational Disruption

Remediation

• Regularly update firmware on all network devices, especially those identified as vulnerable.
• Implement strict access controls to limit the exposure of network device interfaces on the internet.
• Use advanced DDoS mitigation services and solutions that can handle high packet and bit rate attacks.
• Conduct frequent security audits and vulnerability assessments on network infrastructure.
• Employ network segmentation to isolate critical infrastructure and reduce the attack surface.
• Increase monitoring and detection capabilities to quickly identify and respond to unusual traffic patterns.
• Collaborate with device manufacturers to address and patch security vulnerabilities promptly.
• Educate and inform users and administrators about the importance of timely updates and secure configurations.
• Implement robust firewall and intrusion prevention systems to filter malicious traffic.
• Develop and maintain an incident response plan to handle DDoS attacks effectively and minimize downtime.