Juniper routers worldwide have been fitted with a backdoor through which criminals can take control since 2023. The backdoor is well protected and it is unclear who placed it, or how.
Enterprise routers from Juniper Networks feature a backdoor. That’s what Black Lotus Labs security researchers at Lumen Technologies discovered. The back doors are inactive, but passively listen for one of five possible magic packets. Once such a packet is received, the back gate itself requests authentication. If it succeeds, an attacker gains complete access to the routers.
The backdoor is said to be a variant of cd00r. The leak lives after successful injection into routers’ memory. It is unclear how many devices are infected. Attackers have been infecting devices since 2023.
Victims worldwide
The researchers discovered victims worldwide, from the U.S. to Russia, and from South America to Europe. For example, devices were infected at firms in the UK, Norway and the Netherlands.
The choice of routers is not accidental. The devices are not extensively monitored, but they do have a very central place in the network. Black Lotus itself shares more details about the leak, including the signals that show whether something is wrong.