Juniper warns of Mirai botnet targeting Session Smart routers

Juniper Networks has warned customers of Mirai malware attacks targeting and infecting Session Smart routers using default credentials.

As the networking infrastructure company explained, the malware scans for devices with default login credentials and executes commands remotely after gaining access, enabling a wide range of malicious activities.

The campaign was first observed on December 11, when the first infected routers were found on customers’ networks. Later, the operators of this Mirai-based botnet used the compromised devices to launch distributed denial-of-service (DDoS) attacks.

“On Wednesday, December 11, 2024, several customers reported suspicious behavior on their Session Smart Network (SSN) platforms,” says a security advisory published this Tuesday.

“Any customer not following recommended best practices and still using default passwords can be considered compromised as the default SSR passwords have been added to the virus database.”

Juniper also shared indicators of compromise admins should look for on their networks and devices to detect potential Mirai malware activity, including:

• scans for devices on common Layer 4 ports (e.g., 23, 2323, 80, 8080),
• failed login attempts on SSH services indicative of brute-force attacks,
• sudden spike in outbound traffic volume hinting at devices being co-opted in DDoS attacks,
• devices rebooting or behaving erratically, suggesting they’ve been compromised,
• SSH connections from known malicious IP addresses.

The company advised customers to immediately ensure their devices follow recommended username and password policies, including changing the default credentials on all Session Smart routers and using unique and strong passwords across all devices.

Admins are also recommended to keep firmware updated, review access logs for anomalies, set alerts automatically triggered when suspicious activity is detected, deploy intrusion detection systems to monitor network activity, and use firewalls to block unauthorized access to Internet-exposed devices.

Juniper also warned that routers already infected in these attacks must be reimaged before being brought back online.

“If a system is found to be infected, the only certain way of stopping the threat is by reimaging the system as it cannot be determined exactly what might have been changed or obtained from the device,” Juniper said.

Last year, in August, the ShadowServer threat monitoring service warned of ongoing attacks targeting a critical remote code execution exploit chain impacting Juniper EX switches and SRX firewalls using a watchTowr Labs proof-of-concept (PoC) exploit.

Since then, Juniper also warned of a critical RCE bug in its firewalls and switches in January and released an out-of-cycle patch for a maximum-severity authentication bypass flaw in its Session Smart Router (SSR), Session Smart Conductor, and WAN Assurance Router products.