Official Juniper Networks Blogs Shielding Networks From Androxgh0st   AndroxGh0st is a Python-based malware designed to target Laravel applications. It works by scanning and taking out important information from .env files, revealing login details linked to AWS and Twilio. Classified as an SMTP cracker, it exploits SMTP using various strategies such as credential exploitation, web shell deployment and vulnerability scanning. While its ability to generate AWS keys hints at potential brute force attacks, this aspect remains more of a novelty. The primary goal is clear: compromise and extra ..read more

Official Juniper Networks Blogs Real-Time Defense: Analyzing Emerging Cyber Threats In this blog, we will dive into the attack trends observed across our customers’ networks. First, we will highlight how the security threat intelligence in the Juniper Advanced Threat Prevention (ATP) product works. We will present the attack trends observed in Q3 of 2023 by comparing several aspects of the SecIntel Threat Intelligence feed. Additionally, we will look at various characteristics of each telemetry event, including threat severity, protocol, threat categories, and geographical presence. We conclud ..read more

Official Juniper Networks Blogs Abused CDNs: From Speedy Content to Stealthy Malware The global internet relies on Content Delivery Networks (CDNs) to deliver a seamless web experience for users. Because of the shared nature of a CDN’s resources, network operators must be careful when identifying and blocking threats that abuse CDNs. In short, network operators cannot indiscriminately block CDN infrastructure when malicious abuse is detected.  So, the question is, what can be done to address malicious threats in CDNs? First, we need to detect the CDN abuse and then selectively block acce ..read more

Official Juniper Networks Blogs DreamBus Botnet Resurfaces, Targets RocketMQ vulnerability In May 2023, a vulnerability affecting RocketMQ servers (CVE-2023-33246), which allows remote code execution, was publicly disclosed. In a recent blog post, Juniper Threat Labs provided a detailed explanation of how an exploit targeting this vulnerability works. This vulnerability opened the gates for hackers to exploit the RocketMQ platform, leading to a series of attacks. In fact, Juniper Threat Labs has detected multiple attacks where threat actors took advantage of the vulnerability to infiltrate sy ..read more

Official Juniper Networks Blogs CVE-2023-27350: PaperCut NG and MF Remote Code Execution Vulnerability PaperCut is an enterprise print management software. PaperCut NG is used for managing and controlling printing. PaperCut MF is a more advanced solution that, in addition to managing printing, can manage scanning, copying and faxing via hardware-level integration.  A remote code execution vulnerability has been reported in PaperCut MF and NG affecting versions 22.0.9 and earlier across all supported operating systems. The vulnerability arises from inadequate access control measures. As a ..read more

Official Juniper Networks Blogs CVE-2023-2825: Gitlab Arbitrary file Read via uploads Path Traversal GitLab is a web-based platform for version control, CI/CD pipelines and collaboration on software development projects.  An arbitrary path traversal vulnerability has been recently reported in the GitLab Community Edition (CE) and Enterprise Edition (EE) affecting version 16.0.0. It is because of improper limitation of a pathname to a restricted directory. It has been assigned CVE-2023-2825. More details about CVE-2023-2825 can be found at NVD. It has a CVSS 3.1 score of 10.  This vu ..read more

Official Juniper Networks Blogs CVE-2023-33246: Apache RocketMQ Remote Code Execution Vulnerability Apache RocketMQ is one of the most popular and widely used distributed messaging and streaming platforms. A command execution vulnerability has been recently reported in Apache RocketMQ affecting version 5.1.0 and below. A remote unauthenticated user can exploit this vulnerability by using the update configuration function to execute commands with same access level as that of RocketMQ user process. It has been assigned CVE-2023-33246. More details about this vulnerability and various affected v ..read more

Official Juniper Networks Blogs Using ChatGPT to Generate Native Code Malware The capabilities of OpenAI’s large language model have astounded, delighted and (at times) horrified those who have tried it. Much ink has been spilled speculating which professions will be replaced by an AI chatbot that can pass standardized tests, generate entire articles and term papers and write sophisticated code in response to natural language prompts. In this post, we’ll show how ChatGPT has lowered the barrier to entry for malware development by building an example of natively compiled ransomware with real a ..read more

Official Juniper Networks Blogs Uncovering the Dark Side of Email Traffic Email is an essential service for companies and individuals. Billions of emails are exchanged daily, and within a portion of those emails lurk malware aimed at compromising your organization’s network security, stealing your company’s sensitive data and creating operational disruption. This blog dives into the dark side of email traffic, uncovering some of the latest malware threats, tactics and trends that can potentially undermine your systems. We at Juniper Threat Labs will walk you through the threat detection proce ..read more

Official Juniper Networks Blogs A Custom Python Backdoor for VMWare ESXi Servers In October 2022, Juniper Threat Labs discovered a backdoor implanted on a VMware ESXi virtualization server. Since 2019, unpatched ESXi servers have been targets of ongoing in-the-wild attacks based on two vulnerabilities in the ESXi’s OpenSLP service: CVE-2019-5544 and CVE-2020-3992. Unfortunately, due to limited log retention on the compromised host we investigated, we can’t be sure which vulnerability allowed hackers access to the server. Nevertheless, the implanted backdoor is notable for its simplicity, pers ..read more