Juniper Networks has issued a critical alert regarding a Mirai botnet that is actively scanning the internet for Session Smart routers (SSR) using default credentials.
The Mirai malware, notorious for its role in large-scale DDoS attacks, exploits devices with default login credentials to execute commands remotely, thereby enabling a range of malicious activities. The campaign was first detected on December 11, 2024, when compromised routers were identified on customer networks. These infected devices were subsequently used to launch DDoS attacks, leveraging the compromised routers’ capabilities.
Juniper’s security advisory highlights several indicators of compromise that administrators should monitor. These include scans for devices on common Layer 4 ports, failed login attempts on SSH services indicative of brute-force attacks, sudden spikes in outbound traffic, devices rebooting or behaving erratically, and SSH connections from known malicious IP addresses.
To combat this threat, Juniper advises customers to immediately change default credentials on all SSR devices to unique and strong passwords, keep firmware updated, review access logs for anomalies, set alerts for suspicious activity, deploy intrusion detection systems to monitor network activity, and use firewalls to block unauthorized access to internet-exposed devices. Additionally, routers already infected must be reimaged before being brought back online to ensure the complete removal of the malware.
About FastNetMon
FastNetMon delivers versatile DDoS detection software for companies at any scale. With extensive experience in the telecom, mobile, and cloud computing industries, we take pride in preventing DDoS attacks and protecting our customers’ networks to the highest standard.
Find out more: https://fastnetmon.com/