Juniper Networks Warns of Mirai Botnet Attacks Targeting SSR Devices with Default Passwords
Juniper Networks has issued a security advisory warning that its Session Smart Router (SSR) devices are being targeted in a malicious campaign deploying the Mirai botnet. The attack, discovered on December 11, 2024, impacts systems using default passwords, which allowed threat actors to infect the devices with Mirai malware and enlist them in Distributed Denial-of-Service (DDoS) attacks.
The Mirai botnet, notorious for its ability to exploit default credentials and vulnerabilities, has been leveraging this weakness to take control of vulnerable SSR devices. Once compromised, the infected systems were used to launch DDoS attacks against other devices on the same network.
Mitigation Steps:
Change default passwords immediately to strong, unique ones.
Regularly audit access logs for signs of suspicious activity.
Use firewalls to block unauthorized access.
Keep software up to date.
Indicators of Mirai botnet activity include unusual port scanning, frequent SSH login attempts, increased outbound traffic, random device reboots, and connections from known malicious IP addresses. If a device is found to be infected, Juniper recommends reimaging the system to ensure the threat is completely eradicated.
New Threat: cShell DDoS Malware Targeting Linux Servers
In addition to the Mirai botnet, AhnLab Security Intelligence Center (ASEC) has reported the rise of a new DDoS malware, cShell. This malware targets poorly managed Linux servers, particularly those with exposed SSH services. Developed in Go, cShell uses Linux tools like screen and hping3 to perform DDoS attacks.
Mirai Botnet Variant Spreads via Vulnerable DigiEver Devices
Akamai also reported a new development on December 19, 2024, revealing that a variant of the Mirai botnet, dubbed "Hail Cock," is being spread through a vulnerability in DigiEver DS-2105 Pro DVRs. The vulnerability allows attackers to execute arbitrary file writes on the device, leveraging weak passwords to propagate the malware through brute-force attacks on Telnet and SSH services.
In addition to targeting DigiEver devices, the campaign also exploits known vulnerabilities in TP-Link routers (CVE-2023-1389) and Teltonika routers (CVE-2018-17532).
Akamai researchers emphasized that cybercriminals continue to exploit the Mirai malware's legacy, often targeting outdated firmware and devices that manufacturers no longer support or patch.
Conclusion: As botnet campaigns continue to evolve, the importance of securing devices with strong passwords, up-to-date firmware, and constant monitoring remains critical for defending against these malicious attacks.