junipernetscreen5200firewall100634358orig
Security

Attackers are hunting for tampered Juniper firewalls

An experiment by a cybersecurity research center shows attackers are trying to find Juniper firewalls that haven't been patched to remove unauthorized spying code.

The SANS Internet Storm Center set up a honeypot -- a term for a computer designed to lure attackers in order to study their techniques -- that mimicked a vulnerable Juniper firewall.

The honeypot was configured so that it appeared to run ScreenOS, the operating system of the affected Juniper firewalls, wrote Johannes Ullrich, CTO of the Internet Storm Center, on Monday in a blog post.

Juniper said last Thursday that it found during an internal audit two instances of unauthorized code in some versions of ScreenOS, which runs its NetScreen model of enterprise firewalls.

One problem was a hard-coded password, which could allow an attacker to log into a firewall using SSH or telnet in combination with a valid username.

The password was published on Sunday by the security firm Rapid7, which had been analyzing ScreenOS.

Juniper released patches for the password issue and another problem, which could allow VPN traffic to be monitored and decrypted.

Administrators were advised to patch immediately, and Juniper's revelation has received wide attention in the security community. But that still doesn't mean every company has patched, which puts them at risk.

Attackers often quickly try to take advantage of security vulnerabilities after patches are issued in hope of catching out organizations that are slow to react.

Ullrich wrote that the honeypot saw "numerous" login attempts over SSH using the hard-coded password. The attackers also tried various usernames, such as "root," "admin" and "netscreen."

"Our honeypot doesn't emulate ScreenOS beyond the login banner, so we do not know what the attackers are up to, but some of the attacks appear to be 'manual' in that we do see the attacker trying different commands," Ullrich wrote.

One of the IP addresses listed as the source for some of probes was flagged as belonging to the network security company Qualys, possibly attempting to estimate how many systems remain unpatched.

IDG Insider

PREVIOUS ARTICLE

« Kim Dotcom's extradition to the US to be decided on Wednesday

NEXT ARTICLE

SolidFire deal gives NetApp the season's hottest gifts: flash and cloud »
author_image
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail

Recommended for You

International Women's Day: We've come a long way, but there's still an awfully long way to go

Charlotte Trueman takes a diverse look at today’s tech landscape.

Trump's trade war and the FANG bubble: Good news for Latin America?

Lewis Page gets down to business across global tech

20 Red-Hot, Pre-IPO companies to watch in 2019 B2B tech - Part 1

Martin Veitch's inside track on today’s tech trends

Poll

Do you think your smartphone is making you a workaholic?