December 28, 2015
-
Jason Trost
,

Juniper ScreenOS Backdoor Password Seen Used in the Wild

<p>Starting on December 22nd sensors that are part of the <a href="https://github.com/Pwnlandia/mhn" target="_blank">Modern Honey Network (MHN)</a> started detecting several systems using the recently reported Juniper ScreenOS backdoor password (<code style="line-height: 1.42857;">&lt;&lt;&lt; %s(un='%s') = %u</code> as reported by Rapid7 <a href="https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor" style="line-height: 1.42857;">here</a>).  This backdoor is identified as <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7755" style="line-height: 1.42857;">CVE-2015-7755</a>.  It allows anyone to gain administrative access to a Juniper Netscreen device by using either telnet or SSH and using the hard coded backdoor password with any username.  This backdoor affects ScreenOS versions 6.2.0r15 to 6.2.0r18 and 6.3.0r12 to 6.3.0r20 and a patch is currently available.</p><p>ThreatStream released a patch for <a href="https://github.com/threatstream/kippo/tree/juniper-router">Kippo</a>, the popular SSH honeypot, and a <a href="https://github.com/threatstream/mhn/blob/master/scripts/deploy_kippo_as_juniper.sh">deployment script</a> for MHN to enable the rapid deployment of Kippo honeypots that mimic the SSH login banner of Netscreen devices and that accept a login from any user that provides the backdoor password.  Our goal is to determine who is attempting to exploit this backdoor and how it is being used in the wild.</p><p>In this blogpost, we briefly analyze the data collected by these sensors as well as enriching it with Maxmind IP Geo and TOR determinations from the <a href="https://exonerator.torproject.org/" style="line-height: 1.42857;">ExoneraTOR project</a>.</p><h2>TOR Use</h2><p>Eight of the forty-two IPs seen logging in with this backdoor password were Tor exit nodes according to <a href="https://exonerator.torproject.org/">ExoneraTOR project</a>.  ExoneraTOR tracks historic TOR activity and enables IP and time based lookups to determine if an IP address was a TOR exit node during a specific time period.  It is not surprising that TOR is being used to mask the actor's true location. This clearly demonstrates that you should be applying policies to block inbound login attempts to routers, firewalls, and other device's consoles from TOR where possible.  Any VPN or other privileged access should also be monitored for successful inbound connections from TOR as these are likely not normal for most networks.</p><p><img alt="" src="https://cdn.filestackcontent.com/U7s01zlYQOWohWkJeuBo"/></p><h2>SSH Client Banners</h2><p>It is interesting, but not surprising that we see several ssh client banners that are using <a href="http://www.paramiko.org/">Paramiko</a>, which is a python implementation of SSHv2.  These hosts had more events and were seen by more unique sensors than the IPs with the other client banners which makes sense because paramiko is usually used for automating administration and scripting through SSH.  Just like HTTP User-Agents, SSH Client banners should be monitored for suspicious or anomalous strings indicative of activity that is not normal for your network.  <a href="https://www.bro.org/">Bro IDS</a> as well as <a href="https://www.snort.org/">Snort</a>/<a href="http://suricata-ids.org/">Suricata</a> can aid in doing this.</p><p><img alt="" src="https://cdn.filestackcontent.com/mmcSvGarQ0KqanNDkfe8"/></p><h3>Top Banners Seen</h3><p>Below are the top SSH Client banners that we observed during these login attempts.</p><pre> SSH-2.0-paramiko_1.16.0 SSH-2.0-paramiko_1.15.2 SSH-2.0-paramiko_1.15.1 SSH-2.0-nsssh2_5.0.0028 NetSarang Computer, Inc. SSH-2.0-libssh-0.6.3 SSH-2.0-PuTTY_Release_0.65 SSH-2.0-PuTTY_Release_0.64 SSH-2.0-PuTTY_Release_0.63 SSH-2.0-PuTTY_Release_0.62 SSH-2.0-PuTTY_Local:_Jan__3_2014_23:26:54 SSH-2.0-OpenSSH_7.1p1 Debian-5 SSH-2.0-OpenSSH_6.9p1 Ubuntu-2 SSH-2.0-OpenSSH_6.9 SSH-2.0-OpenSSH_6.7p1 Debian-5 SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 SSH-2.0-OpenSSH_6.1 SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.7 SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.4 SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.2 SSH-2.0-OpenSSH_5.3 SSH-1.99-1.4.0 NSFocus Ltd. (RSAS 4.0) </pre><p> </p><h2>Timeline</h2><p>Here is an event timeline showing the number of SSH login events using this password over time.  The vast majority of the events are from Christmas Eve (2015-12-24); at this time it is unclear as to why.  Most of this activity was seen from 7 hosts, all originating from Tianjin, China (according to Maxmind) and all using Paramiko SSH client banners.  Based on this and the number of logins, it is clear that these were automated.</p><p>It is interesting that we saw no overlap with the IPs reported by SANS in their blogpost <a href="http://isc.sans.edu/forums/diary/First+Exploit+Attempts+For+Juniper+Backdoor+Against+Honeypot/20525/">here</a>.  Some of the IPs they reported were also TOR exit nodes.</p><div><p><img alt="" src="https://cdn.filestackcontent.com/7t3mngjFQ8a1ZxgGZ6JB"/></p><h2>Commands Executed</h2><p>With the exception of three systems, all of these IPs logged into the honeypots and then immediately exited.  This activity is indicative of research to enumerate the vulnerable population of Juniper devices, possibly for benign security research.</p><p>Of the three, two of them (31.31.77.242, and 117.114.147.2) appeared to just be looking around.  They did not attempt to download or execute anything other than basic read only system commands.  The other system (109.163.234.4, a TOR exit node) attempted to add an SSH public key to the system using the following command (public key wrapped for readability):</p><pre> set ssh pka-dsa user-name netscreen blob AAAAB3NzaC1kc3MAAACBAN5M1jh9ukRJR8D2ZO w524aEZjOkqLCEUV4qVRhHWjYYsGY9lwO3ZRg/gD54quWxDi2rGzkeheuYTn+O9ghDFf3qemnZS35E0 EGGvc2KHvwbiCMgGgVTT0OqTMILrdAkiEj2qnu/pWzzD2EO7vMWpgKmgVxUoVwwa1XRbUawWBh7AAAA FQCMKAX5xDIcGjYPFEehranxyGfewQAAAIEAgwoUmAfETx/rZEL20TTX/AAdkIq3bHy5A6NFmrtFdAr a7GuTyorGiV7N1pAyKc8Wk4OLzWHHxSeitW7vkCgtiybCL/tbMUbqyJxgIDWlkUM0e2iv+ZpegsJfes BdFgnIpepzQ6uW/fIw80rW4XYN/byUG7bcY4+MGVDsAShmY6AAAACAC+qceJYNDHA6YOZ6QA4P25lmB VB2889pJ/gWH8cer+jDBxRYqtw</pre><p>This would likely give this attacker access to the netscreen device even after it was patched so if you have a netscreen device, you should review the allowed SSH public pairs for evidence of authorized backdoor keys.</p><h2>Attacker Countries</h2><p>China represented the largest number of the IPs seen in this dataset followed by the US, Taiwan and Anonymous proxies (TOR).</p><p><img alt="" src="https://cdn.filestackcontent.com/THmMhbp1RXeZTMfdVHsP"/></p><h2>Usernames</h2><p>This backdoor allows any username to login with administrator access as long as they use the hardcoded backdoor password.  Here are the usernames seen used to login to our honeypots.</p><table border="1" cellpadding="1" cellspacing="1"><tbody><tr><th>Username</th><th>Count</th></tr><tr><td>system</td><td>137</td></tr><tr><td>root</td><td>58</td></tr><tr><td>netscreen</td><td>8</td></tr><tr><td>admin</td><td>7</td></tr><tr><td>blah</td><td>3</td></tr><tr><td>pavel</td><td>3</td></tr><tr><td>a</td><td>2</td></tr><tr><td>punit</td><td>2</td></tr><tr><td>123</td><td>2</td></tr><tr><td>tmp</td><td>1</td></tr><tr><td>username2</td><td>1</td></tr><tr><td>user1</td><td>1</td></tr><tr><td>ROOT</td><td>1</td></tr><tr><td>test</td><td>1</td></tr><tr><td>asdf</td><td>1</td></tr></tbody></table><h2>Raw Data</h2><p>Below is a summary of the events we have seen so far grouped by IP address.  On average, we have seen 7-10 new IPs per day attempting to exploit this vulnerablility so for the latest IOCs and details related to this threat sign up for an <a href="https://ui.threatstream.com/registration">Optic Account</a> and see the continously updated threat bulletin: <a href="https://ui.threatstream.com/threat-bulletin/2807">"Juniper Backdoor (CVE-2015-7755) Seen Exploited in the Wild"</a>.</p><table border="1" cellpadding="1" cellspacing="1"><tbody><tr><th>IP</th><th>SSH Client Banner</th><th>City</th><th>Country</th><th>Organization</th><th>Connection Type</th><th>ASN</th><th>RDNS</th><th>Proxy?</th></tr><tr><td>109.163.234.4</td><td>SSH-2.0-OpenSSH_6.1</td><td>-</td><td>Anonymous Proxy</td><td>Voxility S.R.L.</td><td>-</td><td>3223</td><td>hessel2.torservers.net</td><td>TOR</td></tr><tr><td>113.196.70.235</td><td>SSH-2.0-OpenSSH_6.7p1 Debian-5</td><td>Taipei</td><td>Taiwan</td><td>New Century InfoComm Tech Co.</td><td>Cable/DSL</td><td>9919</td><td>113.196.70.235.LL.static.sparqnet.net</td><td>-</td></tr><tr><td>117.114.147.2</td><td>SSH-2.0-OpenSSH_6.9</td><td>Beijing</td><td>China</td><td>China Telecom Beijing</td><td>Cable/DSL</td><td>23724</td><td>-</td><td>-</td></tr><tr><td>117.18.65.210</td><td>SSH-2.0-OpenSSH_6.7p1 Debian-5</td><td>North Point</td><td>Hong Kong</td><td>SunnyVision Limited</td><td>Dialup</td><td>38478</td><td>117-18-65-210.sunnyvision.com</td><td>-</td></tr><tr><td>118.163.253.120</td><td>SSH-2.0-OpenSSH_5.3</td><td>-</td><td>Taiwan</td><td>HiNet</td><td>Cable/DSL</td><td>3462</td><td>118-163-253-120.HINET-IP.hinet.net</td><td>-</td></tr><tr><td>118.244.254.21</td><td>SSH-2.0-OpenSSH_6.9</td><td>Beijing</td><td>China</td><td>China Telecom Beijing</td><td>Cable/DSL</td><td>4847</td><td>-</td><td>-</td></tr><tr><td>123.151.192.145</td><td>SSH-2.0-paramiko_1.16.0</td><td>Tianjin</td><td>China</td><td>China Telecom TIANJIN</td><td>Cable/DSL</td><td>17638</td><td>-</td><td>-</td></tr><tr><td>123.151.192.155</td><td>SSH-2.0-paramiko_1.16.0</td><td>Tianjin</td><td>China</td><td>China Telecom TIANJIN</td><td>Cable/DSL</td><td>17638</td><td>-</td><td>-</td></tr><tr><td>123.151.204.30</td><td>SSH-2.0-paramiko_1.16.0</td><td>Tianjin</td><td>China</td><td>China Telecom TIANJIN</td><td>Cable/DSL</td><td>17638</td><td>-</td><td>-</td></tr><tr><td>145.253.158.103</td><td>SSH-2.0-PuTTY_Release_0.63</td><td>-</td><td>Germany</td><td>Vodafone DSL</td><td>Cable/DSL</td><td>3209</td><td>-</td><td>-</td></tr><tr><td>151.217.236.226</td><td>SSH-2.0-paramiko_1.15.2</td><td>-</td><td>Germany</td><td>Chaos Computer Club e.V.</td><td>-</td><td>13020</td><td>-</td><td>-</td></tr><tr><td>174.139.26.141</td><td>SSH-2.0-OpenSSH_6.7p1 Debian-5</td><td>Orange</td><td>United States</td><td>Krypt Technologies</td><td>Corporate</td><td>35908</td><td>-</td><td>-</td></tr><tr><td>182.91.95.113</td><td>SSH-2.0-paramiko_1.16.0</td><td>Nanning</td><td>China</td><td>China Unicom Guangxi</td><td>Cable/DSL</td><td>4837</td><td>-</td><td>-</td></tr><tr><td>185.100.85.101</td><td>SSH-2.0-OpenSSH_6.1</td><td>Bucharest</td><td>Romania</td><td>FlokiNET ehf</td><td>-</td><td>200651</td><td>-</td><td>TOR</td></tr><tr><td>185.15.45.3</td><td>SSH-2.0-OpenSSH_7.1p1 Debian-5</td><td>Torun</td><td>Poland</td><td>Tarr Centrum Innowacyjnosci Sp. Zoo.</td><td>-</td><td>60713</td><td>-</td><td>-</td></tr><tr><td>185.34.33.2</td><td>SSH-2.0-OpenSSH_6.1</td><td>-</td><td>Anonymous Proxy</td><td>Octopuce s.a.r.l.</td><td>-</td><td>39389</td><td>tor.laquadrature.net</td><td>TOR</td></tr><tr><td>198.52.100.165</td><td>SSH-2.0-OpenSSH_6.7p1 Debian-5</td><td>Canyon Country</td><td>United States</td><td>Multacom Corporation</td><td>Corporate</td><td>35916</td><td>165-100-52-198-dedicated.multacom.com</td><td>-</td></tr><tr><td>202.83.18.161</td><td>SSH-2.0-OpenSSH_6.9p1 Ubuntu-2</td><td>Bangalore</td><td>India</td><td>Atria Convergence Technologies Pvt. Ltd. Broadband</td><td>Cable/DSL</td><td>24309</td><td>83.18-broadband.acttv.in</td><td>-</td></tr><tr><td>202.99.27.194</td><td>SSH-2.0-paramiko_1.15.1</td><td>Beijing</td><td>China</td><td>China Unicom Beijing</td><td>Cable/DSL</td><td>4808</td><td>-</td><td>-</td></tr><tr><td>203.62.151.150</td><td>SSH-2.0-nsssh2_5.0.0028 NetSarang Computer, Inc.</td><td>Glen Iris</td><td>Australia</td><td>Pacnet Services (Japan) Corp.</td><td>Cable/DSL</td><td>7543</td><td>mail.foodworks.com.au</td><td>-</td></tr><tr><td>210.122.36.145</td><td>SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.7</td><td>-</td><td>Republic of Korea</td><td>Enterprise Networks</td><td>Cable/DSL</td><td>9848</td><td>-</td><td>-</td></tr><tr><td>220.132.73.90</td><td>SSH-2.0-libssh-0.6.3</td><td>Taipei</td><td>Taiwan</td><td>HiNet</td><td>Cable/DSL</td><td>3462</td><td>220-132-73-90.HINET-IP.hinet.net</td><td>-</td></tr><tr><td>221.238.247.105</td><td>SSH-2.0-paramiko_1.16.0</td><td>Tianjin</td><td>China</td><td>China Telecom TIANJIN</td><td>Cable/DSL</td><td>17638</td><td>-</td><td>-</td></tr><tr><td>221.238.247.125</td><td>SSH-2.0-paramiko_1.16.0</td><td>Tianjin</td><td>China</td><td>China Telecom TIANJIN</td><td>Cable/DSL</td><td>17638</td><td>-</td><td>-</td></tr><tr><td>221.238.247.65</td><td>SSH-2.0-paramiko_1.16.0</td><td>Tianjin</td><td>China</td><td>China Telecom TIANJIN</td><td>Cable/DSL</td><td>17638</td><td>-</td><td>-</td></tr><tr><td>221.238.247.90</td><td>SSH-2.0-paramiko_1.16.0</td><td>Tianjin</td><td>China</td><td>China Telecom TIANJIN</td><td>Cable/DSL</td><td>17638</td><td>-</td><td>-</td></tr><tr><td>27.219.161.29</td><td>SSH-2.0-OpenSSH_5.3</td><td>Qingdao</td><td>China</td><td>China Unicom Shandong</td><td>Cable/DSL</td><td>4837</td><td>-</td><td>-</td></tr><tr><td>31.31.77.242</td><td>SSH-2.0-OpenSSH_6.1</td><td>-</td><td>Czech Republic</td><td>WEDOS Internet, a.s.</td><td>-</td><td>197019</td><td>-</td><td>TOR</td></tr><tr><td>39.77.190.155</td><td>SSH-2.0-OpenSSH_6.7p1 Debian-5</td><td>Jinan</td><td>China</td><td>China Unicom Shandong</td><td>Cable/DSL</td><td>4837</td><td>-</td><td>-</td></tr><tr><td>43.224.248.211</td><td>SSH-2.0-PuTTY_Release_0.62</td><td>-</td><td>Taiwan</td><td>HongKong Virtual Internal Server Company Limited</td><td>Cable/DSL</td><td>134120</td><td>-</td><td>-</td></tr><tr><td>60.251.8.120</td><td>SSH-2.0-PuTTY_Release_0.65</td><td>-</td><td>Taiwan</td><td>HiNet</td><td>Cable/DSL</td><td>3462</td><td>60-251-8-120.HINET-IP.hinet.net</td><td>-</td></tr><tr><td>61.49.45.42</td><td>SSH-2.0-paramiko_1.16.0</td><td>Beijing</td><td>China</td><td>China Unicom Beijing</td><td>Cable/DSL</td><td>4808</td><td>-</td><td>-</td></tr><tr><td>61.49.45.45</td><td>SSH-2.0-paramiko_1.16.0</td><td>Beijing</td><td>China</td><td>China Unicom Beijing</td><td>Cable/DSL</td><td>4808</td><td>-</td><td>-</td></tr><tr><td>77.247.181.165</td><td>SSH-2.0-OpenSSH_6.1</td><td>-</td><td>Anonymous Proxy</td><td>NForce Entertainment B.V.</td><td>-</td><td>43350</td><td>politkovskaja.torservers.net</td><td>TOR</td></tr><tr><td>82.81.50.228</td><td>SSH-2.0-OpenSSH_6.9</td><td>-</td><td>Israel</td><td>Bezeq International</td><td>Cable/DSL</td><td>8551</td><td>bzq-82-81-50-228.red.bezeqint.net</td><td>-</td></tr><tr><td>82.94.251.227</td><td>SSH-2.0-OpenSSH_6.1</td><td>-</td><td>Netherlands</td><td>XS4ALL Internet BV</td><td>Cable/DSL</td><td>3265</td><td>mail.calyx.com</td><td>TOR</td></tr><tr><td>87.98.178.61</td><td>SSH-2.0-OpenSSH_6.1</td><td>-</td><td>France</td><td>OVH SAS</td><td>-</td><td>16276</td><td>tor-exit-node--proxy.scalaire.com</td><td>TOR</td></tr><tr><td>89.187.219.219</td><td>SSH-2.0-OpenSSH_6.7p1 Debian-5</td><td>Beirut</td><td>Lebanon</td><td>Pros-Services S.A.R.L.</td><td>-</td><td>57256</td><td>-</td><td>-</td></tr><tr><td>91.109.247.173</td><td>SSH-2.0-OpenSSH_6.1</td><td>-</td><td>Anonymous Proxy</td><td>UK2 - Ltd</td><td>-</td><td>13213</td><td>tor-exit2-readme.puckey.org</td><td>TOR</td></tr><tr><td>91.219.24.233</td><td>SSH-2.0-PuTTY_Local:_Jan__3_2014_23:26:54</td><td>Moscow</td><td>Russia</td><td>OOO System Service</td><td>-</td><td>50448</td><td>a233.abon24-plus-gw-02.northnet.ru</td><td>-</td></tr><tr><td>94.228.153.247</td><td>SSH-2.0-PuTTY_Release_0.64</td><td>Igis</td><td>Switzerland</td><td>aurax connecta AG</td><td>Cable/DSL</td><td>31662</td><td>-</td><td>-</td></tr><tr><td>98.143.148.176</td><td>SSH-2.0-paramiko_1.16.0</td><td>Los Angeles</td><td>United States</td><td>QuadraNet</td><td>Corporate</td><td>8100</td><td>-</td><td>-</td></tr></tbody></table><h2>Next Steps</h2><p>If you're interested to learn more about MHN please see <a href="https://github.com/Pwnlandia/mhn" target="_blank">this</a> and the <a href="https://github.com/threatstream/mhn">MHN Github Repository</a>.  If you're interested a free ThreatStream account, please visit our <a href="https://ui.threatstream.com/registration">registration page</a>.</p></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.