On Thursday, December 17, Juniper Networks announced that during an internal code review, they detected malicious code embedded in Netscreen ScreenOS firewalls, versions 6.2 and 6.3. The malicious code gives attackers backdoor access, allowing them to log into the Juniper device’s console with full administrative privileges, as well as enable the attacker to decrypt VPN traffic. If you have Netscreen firewalls running the infected software versions your networks are at risk; the attackers change firewall rules, sniff and decrypt traffic, and erase the log records to hide their trail.
The malicious code has been embedded in Juniper’s product for several years. Apparently the attackers were able to modify Juniper’s software at some point, and Juniper has been unknowingly distributing the vulnerable software ever since.
The level of sophistication in this attack indicates that it is the result of a complex, long-term, professional operation. Fingers have not been pointed at anyone yet, but such attacks are usually attributed to nations-states and government agencies. Someone had to invest heavily in creating spyware infrastructure, years in advance, in the hopes (or knowledge) that these devices will eventually end up being purchased by organizations who would likely be interesting targets to spy on. The operational costs could be staggering … I hope we get to hear more on how this happened – it could be the plot for a next “mission impossible” movie: Just imagine the hot agent seducing the drug-addict IT admin, bringing in the geeky programmers at 3am using a fake ID and plastic fingerprints to get past Juniper’s security staff :).
By publicizing this vulnerability the cat is now out of the bag. Let’s assume that when country X injected its code into Juniper’s products 4 years ago only their spy operators knew about the backdoor. So if I’m an enterprise that’s not a national enemy of country X, I have little to worry about, because it’s unlikely that X would be interested in controlling my firewalls. But now that this vulnerability had been made public, my own enemies (criminals, competitors, and my enemy countries Y and Z) have a way to attack me. This is a scary situation and it needs a rapid response!
So if you own affected Juniper Netscreen firewalls:
AlgoSec customers’ should have already received a new risk profile that flags vulnerable versions of Juniper Networks Netscreen firewalls. Check your emails for this notification.
Receive notifications of new posts by email.