Juniper Networks has issued an urgent advisory following reports of Mirai malware infections targeting Session Smart Routers (SSRs) left with default passwords.
The campaign, first detected on December 11, exploited weak security practices to compromise devices and use them in distributed denial-of-service (DDoS) attacks.
The Mirai malware, notorious for its ability to exploit Internet of Things (IoT) devices, scans for systems using default login credentials.
Once access is gained, it executes commands remotely, enabling a wide range of malicious activities. In this case, compromised SSRs were weaponized to flood targeted networks with junk traffic, disrupting services and causing significant operational challenges.
This vulnerability impacts all versions of Session Smart Routers. According to Juniper’s advisory, the affected devices share a critical commonality: failure to replace factory-set credentials.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
The default SSR passwords have now been added to the malware’s database, making any system still using them highly susceptible to infection.
Administrators are advised to monitor their networks for signs of potential Mirai activity, including:
- Unusual Port Scanning: High volumes of connection attempts on ports like 23 (Telnet) and 22 (SSH) from a single source IP.
- Frequent SSH Login Attempts: Multiple failed login attempts indicating brute-force attacks.
- Increased Outbound Traffic: Unexplained spikes in data leaving the network.
- Erratic Device Behavior: Random reboots or devices dropping off the network.
- Connections from Malicious IPs: Known botnet-linked IP addresses attempting access.
Mirai is infamous for its ability to turn IoT devices into botnets—networks of infected devices controlled remotely. Originally surfacing in 2016, it has since evolved into numerous variants.
The malware’s primary tactic involves exploiting weak credentials and software vulnerabilities to infiltrate devices. Once infected, these systems become tools for DDoS attacks or other malicious activities.
Juniper Networks recommends immediate action to prevent further infections:
- Change Default Credentials: Replace factory-set passwords with strong, unique ones across all SSRs.
- Monitor Logs: Regularly review access logs for anomalies and set alerts for suspicious activity.
- Deploy Firewalls and Intrusion Detection Systems (IDS): Block unauthorized access and monitor network behavior.
- Update Firmware: Ensure all devices are running the latest software patches.
For already compromised systems, Juniper advises reimaging the affected routers. This is the only guaranteed way to eliminate the malware and secure the device.
The incident underscores the critical importance of adhering to cybersecurity best practices. Weak password management remains a leading cause of IoT vulnerabilities, as demonstrated by this attack on SSRs.
Organizations must prioritize robust security measures to safeguard their networks against evolving threats like Mirai. By taking proactive steps now, businesses can mitigate risks and protect their infrastructure from similar attacks in the future.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide