Nobody likes eavesdroppers, ESPECIALLY when the eavesdroppers are state-sponsored hackers, quite possibly from your own government. While officially unconfirmed, the discovery of backdoors in Juniper’s ScreenOS, correlated with what we know about some of the NSA’s digital interdiction methods, indicate that they might have been involved. NSA involvement or not, having any sort of unknown or unauthorized remote access to your environment (and your data) is the most serious threat you could encounter.
Researchers at Juniper, during an internal code review, discovered the presence of two pieces of unauthorized code in ScreenOS, the operating system that runs on most of their firewalls. The two pieces of code turned out to be malicious, allowing backdoor access to their authors, but via different tactics. One backdoor allows an attacker to gain administrator access via a hardcoded master password while another allows for passive decryption of VPN traffic.
In the case of the master password exploit, administrators can easily upgrade their Juniper firewall’s operating system to the latest version (that includes the patch) and that’s it. However, the other backdoor’s ability to decrypt VPN traffic is much more troubling and indicates the involvement of state-sponsored hackers due to its reliance on existing wiretaps. This vulnerability would also make it possible to decrypt stored Juniper VPN communications at a later date. Using the patch, itself, its possible to reverse engineer the vulnerability and decode any traffic that an attacker has stored.
Impact on you
- With remote access, an attacker has nearly limitless options as far as what they could do; they could steal cardholder data or other PII, deploy additional malware to carry out other tasks, or just wreak havoc
- When your business relies on the ability to securely transmit information (banking, healthcare, defense) the inability to do so can bring production to a halt. Potentially worse than that, your reputation could be ruined following a successful decryption of VPN traffic.
How AlienVault Helps
AlienVault Labs continues to perform cutting edge research on threats like these, collecting large amounts of data and then analyzing it to extrapolate expert threat intelligence. The Labs team has already released IDS signatures and correlation rule updates to the AlienVault Unified Security Management (USM) platform so customers can identify activity related to this exploit:
Reconnaissance & Probing, Backdoor, Juniper ScreenOS telnet Backdoor Default Password Attempt
Environmental Awareness, Vulnerable software, Exposed Juniper ScreenOS
For further investigation into the Juniper ScreenOS backdoors, visit the Open Threat Exchange (OTX) and see what research members of the community have done: