1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Juniper VPN gateways targeted by stealthy "magic" malware

    From TechnologyDaily@1337:1/100 to All on Mon Jan 27 15:30:07 2025
    Juniper VPN gateways targeted by stealthy "magic" malware

    Date:
    Mon, 27 Jan 2025 15:25:00 +0000

    Description:
    J-Magic malware campaign was active for roughly a year, targeting endpoints
    at the edge.

    FULL STORY ======================================================================Security
    researchers spot new piece of malware called J-Magic It listens to traffic
    in anticipation of a "magic package" Once detected, J-Magic initiates the deployment of a backdoor

    Hackers have been found targeting companies in the semiconductor, energy, manufacturing, and IT sectors, with a unique piece of malware called J-magic, experts have warned.

    A new report from the Black Lotus Team at Lumen Technologies revealed unnamed threat actors repurposed cd00r - a stealthy, backdoor Trojan designed to provide unauthorized access to a system, initially designed as an open source proof-of-concept for educational and research purposes in cybersecurity.

    The repurposed Trojan, dubbed J-magic, was being deployed to enterprise-grade Juniper routers serving as VPN gateways. The researchers dont know how the endpoints got infected, but in any case, the Trojan was sitting silently
    until the attackers sent it a magic TCP package. SeaSpy2 and cd00r

    If any of these parameters or magic packets are received, the agent sends
    back a secondary challenge. Once that challenge is complete, J-magic establishes a reverse shell on the local file system, allowing the operators to control the device, steal data, or deploy malicious software, the researchers explained.

    The campaign was first spotted in September 2023, and lasted roughly until mid-2024. Black Lotus could not say who the threat actors were, but said that elements of the activity share some technical indicators with a subset of prior reporting on a malware family named SeaSpy2.

    However, we do not have enough data points to link these two campaigns with high confidence, they said.

    In any case, SeaSpy2 is also built on cd00r, and works in similar fashion - scanning for magic packets. This persistent, passive backdoor, masqueraded as a legitimate Barracuda service called "BarracudaMailService," allows threat actors to execute arbitrary commands on compromised Barracuda Email Security Gateway (ESG) appliances.

    SeaSpy was apparently built by UNC4841 , a Chinese threat actor.

    Via BleepingComputer You might also like UnitedHealth confirms major cyberattack, says hackers stole "substantial" amount of patient data Here's a list of the best firewalls around today These are the best endpoint security tools right now



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/juniper-vpn-gateways-targeted-by-stealt hy-magic-malware


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)