Red Alert: Chinese Hackers Target Juniper Firewalls.

Written By Luke Sheaves

This week, it was revealed a serious security threat that's been making waves in the cybersecurity community. If you're managing older Juniper MX routers, you'll want to pay close attention.

According to a report from Google Threat Intelligence and a Juniper Networks security advisory affecting older end-of-life Juniper MX devices that are no longer receiving security updates.

https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers
https://supportportal.juniper.net/s/article/2025-03-Reference-Advisory-The-RedPenguin-Malware-Incident?language=en_US

It turns out a sophisticated Chinese state-sponsored hacking group, the same organisation Google's Mandiant tracks as UNC3886, have been busy exploiting vulnerabilities in Juniper Junos OS devices. Yes, those older firewalls you might still have tucked away. And they've been at it since at least mid-2024, but it's just now coming to light.

So, what's the big deal? Well, these attackers have found a way to bypass Junos OS's 'veriexec' system, that's the kernel-based security that's supposed to stop unauthorised code from running and UNC3886 found a way to slip right past it.

Here's the breakdown:

  • They gain initial access through a terminal server, likely using stolen or legitimate credentials.

  • Then, they jump into the FreeBSD shell within the Junos OS CLI.

  • From there, they use the 'here document' feature to create a base64-encoded file.

  • This file is then decoded, and boom! They extract and deploy their malicious binaries.

What's the impact? These backdoors give UNC3886 persistent access, allowing them to steal credentials and exfiltrate sensitive data. And while the number of confirmed compromised devices is currently low, let's be real, how many of those older firewalls are still out there? It's a ticking time bomb.

What's even more concerning is that UNC3886 has a history of targeting critical network infrastructure, including VMware and Fortinet products. They're not messing around.

Juniper has released in their advisory that customers run the Juniper Malware Removal Tool (JMRT), which can be used on the router host to scan for the malware. See Juniper Malware Removal Tool . Seriously consider upgrading to supported firewall solutions or exploring alternative vendors. Additionally, Juniper has provided advice on how to proceed..

This attack highlights the importance of keeping your network infrastructure up-to-date. Don't let your aging firewalls path levels become a gateway for cybercriminals. Stay vigilant, stay patched, and stay secure."

Additional coverage can be found here:
https://www.bleepingcomputer.com/news/security/chinese-cyberspies-backdoor-juniper-routers-for-stealthy-access/
https://www.theregister.com/2025/03/12/china_spy_juniper_routers/?td=rt-3a

Luke Sheaves
Previous

Paradox: When Fear Trumps Security
Next

Australia Follows US Lead: Kaspersky Ban Raises Security Concerns for Government and Beyond