Juniper Warns of Mirai Botnet Targeting SSR Devices with Default Passwords

Juniper Networks is warning that Session Smart Router (SSR) products with default passwords are being targeted as part of a malicious campaign that deploys the Mirai botnet malware.
The company said it's issuing the advisory after "several customers" reported anomalous behavior on their Session Smart Network (SSN) platforms on December 11, 2024.
"These systems have been infected with the Mirai malware and were subsequently used as a DDoS attack source to other devices accessible by their network," it said. "The impacted systems were all using default passwords."
Mirai, which has had its source code leaked in 2016, has spawned several variants over the years. The malware is capable of scanning for known vulnerabilities as well as default credentials to infiltrate devices and enlist them into a botnet for mounting distributed denial-of-service (DDoS) attacks.
To mitigate such threats, organizations are recommended to change their passwords with immediate effect to strong, unique ones (if not already), periodically audit access logs for signs of suspicious activity, use firewalls to block unauthorized access, and keep software up-to-date.
Some of the indicators associated with Mirai attacks include unusual port scanning, frequent SSH login attempts indicating brute-force attacks, increased outbound traffic volume to unexpected IP addresses, random reboots, and connections from known malicious IP addresses.
"If a system is found to be infected, the only certain way of stopping the threat is by reimaging the system as it cannot be determined exactly what might have been changed or obtained from the device," the company said.
The development comes as the AhnLab Security Intelligence Center (ASEC) revealed that poorly managed Linux servers, particularly publicly exposed SSH services, are being targeted by a previously undocumented DDoS malware family dubbed cShell.
"cShell is developed in the Go language and is characterized by exploiting Linux tools called screen and hping3 to perform DDoS attacks," ASEC said.
DigiEver Flaw Exploited to Distribute Mirai Botnet Variant
In a new report published on December 19, 2024, Akamai revealed that a remote code execution vulnerability in DigiEver DS-2105 Pro DVRs (no CVE) is being exploited by attackers to spread a variant of the Mirai botnet dubbed "Hail Cock" since at least October 2024. The botnet is estimated to have been active a month prior to the activity.
The vulnerability in question has been described as a post-auth arbitrary file write that works in combination with DVRs that have weak passwords. The malware installed on the devices subsequently proceeds to carry out Telnet and SSH brute-force attacks to broaden the size of the botnet.
In addition to the DigiEver RCE exploit, the campaign has been observed targeting other known vulnerabilities -
- CVE-2023-1389 (CVSS score: 8.8), a command injection vulnerability affecting TP-Link routers
- CVE-2018-17532 (CVSS score: 9.8), multiple unauthenticated operating system command injection vulnerabilities in Teltonika RUT9XX routers
"Cybercriminals have consistently leveraged the legacy of the Mirai malware to perpetuate botnet campaigns for years, and the new Hail Cock botnet is no exception," Akamai researchers Kyle Lefton, Daniel Messing, and Larry Cashdollar said. "One of the easiest methods for threat actors to compromise new hosts is to target outdated firmware or retired hardware."
"The DigiEver DS-2105 Pro, which is approximately 10 years old now, is an example. Hardware manufacturers do not always issue patches for retired devices, and the manufacturer itself may sometimes be defunct."
Fortinet Warns of Critical FortiWLM Flaw That Could Lead to Admin Access Exploits
Thousands Download Malicious npm Libraries Impersonating Legitimate Tools
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
InformationalUser Controllable JavaScript Event (XSS)
MediumJWT Scan Rule
InformationalStorable but Non-Cacheable Content
LowInsufficient Site Isolation Against Spectre Vulnerability
MediumFile Upload
CWE-943 Improper Neutralization of Special Elements in Data Query Logic
CWE-1249 Application-Level Admin Tool with Inconsistent View of Underlying Operating System
HighCWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-1301 Insufficient or Incomplete Data Removal within Hardware Component
Free online web security scanner