Juniper Warns of Mirai Botnet Targeting SSR Devices with Default Passwords

Juniper Networks is warning that Session Smart Router (SSR) products with default passwords are being targeted as part of a malicious campaign that deploys the Mirai botnet malware.

The company said it's issuing the advisory after "several customers" reported anomalous behavior on their Session Smart Network (SSN) platforms on December 11, 2024.

"These systems have been infected with the Mirai malware and were subsequently used as a DDoS attack source to other devices accessible by their network," it said. "The impacted systems were all using default passwords."

Mirai, which has had its source code leaked in 2016, has spawned several variants over the years. The malware is capable of scanning for known vulnerabilities as well as default credentials to infiltrate devices and enlist them into a botnet for mounting distributed denial-of-service (DDoS) attacks.

To mitigate such threats, organizations are recommended to change their passwords with immediate effect to strong, unique ones (if not already), periodically audit access logs for signs of suspicious activity, use firewalls to block unauthorized access, and keep software up-to-date.

Some of the indicators associated with Mirai attacks include unusual port scanning, frequent SSH login attempts indicating brute-force attacks, increased outbound traffic volume to unexpected IP addresses, random reboots, and connections from known malicious IP addresses.

"If a system is found to be infected, the only certain way of stopping the threat is by reimaging the system as it cannot be determined exactly what might have been changed or obtained from the device," the company said.

The development comes as the AhnLab Security Intelligence Center (ASEC) revealed that poorly managed Linux servers, particularly publicly exposed SSH services, are being targeted by a previously undocumented DDoS malware family dubbed cShell.

"cShell is developed in the Go language and is characterized by exploiting Linux tools called screen and hping3 to perform DDoS attacks," ASEC said.

DigiEver Flaw Exploited to Distribute Mirai Botnet Variant

In a new report published on December 19, 2024, Akamai revealed that a remote code execution vulnerability in DigiEver DS-2105 Pro DVRs (no CVE) is being exploited by attackers to spread a variant of the Mirai botnet dubbed "Hail Cock" since at least October 2024. The botnet is estimated to have been active a month prior to the activity.

The vulnerability in question has been described as a post-auth arbitrary file write that works in combination with DVRs that have weak passwords. The malware installed on the devices subsequently proceeds to carry out Telnet and SSH brute-force attacks to broaden the size of the botnet.

In addition to the DigiEver RCE exploit, the campaign has been observed targeting other known vulnerabilities -

• CVE-2023-1389 (CVSS score: 8.8), a command injection vulnerability affecting TP-Link routers
• CVE-2018-17532 (CVSS score: 9.8), multiple unauthenticated operating system command injection vulnerabilities in Teltonika RUT9XX routers

"Cybercriminals have consistently leveraged the legacy of the Mirai malware to perpetuate botnet campaigns for years, and the new Hail Cock botnet is no exception," Akamai researchers Kyle Lefton, Daniel Messing, and Larry Cashdollar said. "One of the easiest methods for threat actors to compromise new hosts is to target outdated firmware or retired hardware."

"The DigiEver DS-2105 Pro, which is approximately 10 years old now, is an example. Hardware manufacturers do not always issue patches for retired devices, and the manufacturer itself may sometimes be defunct."