๐Ÿšจ “J-Magic” Backdoor Targets Juniper Routers ๐Ÿ”Œ๐Ÿ›ก๏ธ

Jan 24 2025

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome toย Gone Phishing, your weekly cybersecurity newsletter that understands that when it comes to cyber storms: ร‰owyn some, you lose some ๐Ÿ™ƒ Stay safe UK readers โ›ˆ๏ธ #Stormร‰owynย 

Patch of the Week!ย ๐Ÿฉน

First thingโ€™s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, thatโ€™s itโ€ฆ ๐Ÿ˜ณย 

Congrats to Cisco,ย the cybercriminals are no matchโ€ฆ for your patch! ๐Ÿฉน

Check out this freshly hatched patch ๐Ÿฃ

Cisco fixo ๐Ÿ‘จโ€๐Ÿ”ง

๐Ÿšจ Cisco Security Alert! Patch Now! ๐Ÿ”ง

Cisco has issued updates to fix critical vulnerabilities in Cisco Meeting Management and other products. Top priority: CVE-2025-20156 (CVSS 9.9), a REST API flaw that lets authenticated attackers escalate privileges to administrator level. ๐Ÿš€

โšก Key Details:

1๏ธโƒฃ CVE-2025-20156 (Critical)

Affects Cisco Meeting Management versions 3.9 and earlier.

Fixes available in 3.9.1; 3.10 is not vulnerable.

Attackers could exploit this to control edge nodes managed by Cisco Meeting Management.

2๏ธโƒฃ CVE-2025-20165 (DoS)

  • Found in BroadWorks SIP handling.

  • Fixed in RI.2024.11.

  • Exploit could exhaust system memory, causing a DoS.ย 

3๏ธโƒฃ CVE-2025-20128 (DoS)

  • Impacts ClamAV OLE2 decryption.

  • Could be exploited for service disruption; PoC exploit exists.

๐Ÿ”ง Action Required:

  • Update now to patched versions for all affected products.

  • For Ivanti exploit chains (CVE-2024-8963, CVE-2024-9379, etc.), check for compromise and secure your systems.

  • Stay vigilant and secure! ๐Ÿ”’โœจ

Now, on to this weekโ€™s hottest cybersecurity news stories:ย 

  • ๐Ÿ“ก Juniper routers exploited by โ€˜J-Magicโ€™ backdoor ๐Ÿšช

  • ๐Ÿ”ฅ Palo Alto firewalls exploited via boot bypass flaws ๐Ÿž

  • ๐ŸŽญ Fake CAPTCHA Campaign spreads Lumma stealer ๐Ÿค

Abra, Abracadabra, I wanna reach out and hack ya ๐Ÿง™โ€โ™‚๏ธ

๐Ÿšจ "J-Magic" Backdoor Targets Juniper Routers ๐Ÿ”Œ๐Ÿ›ก๏ธ

๐Ÿ‘พ New Threat Alert! Enterprise-grade Juniper Networks routers are under fire from a custom backdoor, dubbed J-magic, that listens for secret "magic packets" to wreak havoc. Hereโ€™s the breakdown:

๐Ÿ•ต๏ธโ€โ™‚๏ธ Whatโ€™s Happening?

๐Ÿ› ๏ธ J-Magic infects Juniper routers (using Junos OS, based on FreeBSD).

๐Ÿ“… Active since mid-2023, with infections spanning Europe, Asia, and South America ๐ŸŒ.

๐ŸŽฏ Top targets: semiconductor, energy, manufacturing, and IT industries.

๐Ÿ’ป How It Works:

1๏ธโƒฃ Attackers send "magic packets" via TCP traffic ๐Ÿ“ก.

2๏ธโƒฃ Backdoor responds with a secondary challenge to block rival hackers ๐Ÿ”‘.

3๏ธโƒฃ If successful, the attackers gain control, stealing data or deploying other malware ๐Ÿ“‚.

โš™๏ธ Why Itโ€™s Dangerous:

๐Ÿ”— Targets edge routers acting as VPN gateways ๐ŸŒ.

๐Ÿ›ก๏ธ No endpoint detection (EDR) leaves these devices wide open ๐Ÿ•ณ๏ธ.

๐Ÿ“ˆ Long uptimes make them ideal for nation-state hacking campaigns.

๐Ÿ’ฅ Whatโ€™s at Stake?

Data theft ๐Ÿ“Š.

Malware deployment ๐Ÿฆ .

Infrastructure sabotage ๐Ÿ’ฃ.

๐Ÿ›ก๏ธ Stay Safe!

โœ… Keep Juniper routers updated! ๐Ÿ› ๏ธ

โœ… Monitor unusual traffic ๐Ÿšฆโ€”look for hidden signals!

โœ… Restrict access to sensitive router ports ๐Ÿ”’.

โš ๏ธ J-Magic marks a bold move against enterprise routers. With nation-state actors leveraging these attacks, the stakes for securing network edge devices have never been higher. Stay vigilant! ๐Ÿ’ชโœจ

Hire Ava, the Industry-Leading AI BDR

Ava automates your entire outbound demand generation so you can get leads delivered to your inbox on autopilot. She operates within the Artisan platform, which consolidates every tool you need for outbound:

  • 300M+ High-Quality B2B Prospects

  • Automated Lead Enrichment With 10+ Data Sources Included

  • Full Email Deliverability Management

  • Personalization Waterfall using LinkedIn, Twitter, Web Scraping & More

Book a demo to see what Ava can do.

Palo faulto ๐Ÿ˜ฌย 

๐Ÿšจ PANdoraโ€™s Box: Vulnerabilities Found in Palo Alto Firewalls ๐Ÿ”ฅ๐Ÿ”’

๐Ÿ‘พ Palo Alto Networks firewallsโ€”trusted guardians of enterprise securityโ€”have been found vulnerable to critical flaws in their firmware and misconfigured security settings. Letโ€™s break it down:

๐Ÿ” The Discovery

๐Ÿ”ฌ Security researchers at Eclypsium analyzed three firewall modelsโ€”PA-3260, PA-1410, and PA-415โ€”and uncovered a set of vulnerabilities collectively named PANdoraโ€™s Box ๐Ÿงฐ.

๐Ÿ“… PA-3260 has reached end-of-sale (August 2023), but PA-1410 and PA-415 are still fully supported ๐Ÿ› ๏ธ.

โš ๏ธ Major Findings

๐Ÿ›ก๏ธ BootHole (CVE-2020-10713): Secure Boot bypass vulnerability affecting all three models ๐Ÿ›.

๐Ÿ’พ LogoFAIL: Critical UEFI vulnerabilities on the PA-3260, allowing malicious code execution during startup ๐Ÿ“ฅ.

๐Ÿ“ก PixieFail: TCP/IP stack flaws in PA-1410 and PA-415, leading to code execution & info leaks ๐Ÿ”“.

๐Ÿ’ก Insecure Flash Access: SPI flash misconfigurations on the PA-415, enabling UEFI tampering โšก.

๐Ÿ›‘ Intel BootGuard Key Leak: Impacts PA-1410, exposing the device to additional risks ๐Ÿ”.

๐ŸŽฏ Why It Matters

These flaws could let attackers bypass Secure Boot, escalate privileges, or inject malicious firmware ๐Ÿ’ฅ.

Vulnerable firewalls could turn into attack platforms, undermining enterprise security ๐Ÿšช.

๐Ÿ› ๏ธ Vendor Response

๐Ÿ›ก๏ธ Palo Alto Networks:

  • Claims these vulnerabilities canโ€™t be exploited under normal conditions with up-to-date PAN-OS.

  • No reports of active exploitation.

  • Working with third-party vendors to roll out mitigations ๐Ÿ”„.

๐Ÿ›ก๏ธ Protect Yourself

โœ… Keep PAN-OS firmware updated.

โœ… Secure management interfaces according to best practices ๐Ÿ”’.

โœ… Regularly monitor device integrity and firmware ๐Ÿšฆ.

โš ๏ธ Even the strongest defenses need defense! Stay vigilant, update often, and donโ€™t let your firewalls become weak links. ๐Ÿ”๐Ÿ”ฅ

Thereโ€™s a reason 400,000 professionals read this daily.

Join The AI Report, trusted by 400,000+ professionals at Google, Microsoft, and OpenAI. Get daily insights, tools, and strategies to master practical AI skills that drive results.

Sign up now for free and work smarter, not harder.

Hackers: CAPTCHA me if you can ๐Ÿƒ๐Ÿป

๐Ÿšจ Fake CAPTCHA Scam Delivers Lumma Stealer Malware Globally ๐Ÿ›ก๏ธ๐Ÿ”—

โš ๏ธ Cybercriminals are stepping up their game with fake CAPTCHA pages to spread the notorious Lumma Stealer malware. This malware-as-a-service (MaaS) threat is targeting individuals and organizations worldwide ๐ŸŒŽ.ย 

๐Ÿ•ต๏ธโ€โ™‚๏ธ The Attack

1๏ธโƒฃ Victims land on compromised websites that redirect them to fake CAPTCHA pages ๐Ÿค”.

2๏ธโƒฃ Instead of verifying, users are tricked into running a Windows Run command that triggers a chain reaction:

The command uses mshta.exe to download and execute a remote HTA file ๐Ÿ’ป.

This file executes PowerShell scripts to bypass detection and deploy the Lumma Stealer payload ๐Ÿ› ๏ธ.

3๏ธโƒฃ These steps occur outside the browser, bypassing browser-based security defenses ๐Ÿ”’.

๐Ÿ“ Global Reach

๐ŸŒŽ Targeted countries: Argentina, Colombia, U.S., Philippines, and others.

๐Ÿข Targeted industries: Telecom, healthcare, banking, and marketing.

๐Ÿ”Ž Lummaโ€™s Evolution

๐Ÿงฉ Previous Method: Used Base64 PowerShell scripts in a campaign known as ClickFix.

๐Ÿ’พ Current Method: Adds complexity with multiple PowerShell stages, AMSI bypasses, and delivery via fake CAPTCHA interactions.

โš™๏ธ New Threats Emerge

๐Ÿ”— Attackers are also using 1,000+ fake domains mimicking Reddit, WeTransfer, and more to spread SelfAU3 Droppers packed in password-protected archives ๐Ÿ—‚๏ธ.

๐Ÿ“ง Meanwhile, Phishing-as-a-Service (PhaaS) kits like Tycoon 2FA are enhancing evasion techniques, using compromised email accounts and detecting security tools ๐Ÿ‘€.

๐Ÿ›ก๏ธ How to Stay Safe

โœ”๏ธ Avoid commands from suspicious sitesโ€”never paste commands into Windows Run prompts.

โœ”๏ธ Update antivirus tools to recognize AMSI-bypass techniques.

โœ”๏ธ Educate users on spotting fake CAPTCHAs and social engineering tactics.

๐Ÿšจ Pro tip:ย If it seems fishy, donโ€™t click it! Fake CAPTCHA scams are the latest twist in cybercriminal playbooks. Stay alert! ๐Ÿ–ฅ๏ธ๐Ÿ”’

๐Ÿ—ž๏ธ Extra, Extra! Read all about it! ๐Ÿ—ž๏ธ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ๐Ÿ›ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐Ÿ“…

  • ๐Ÿ’ตCrypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐Ÿ†“

  • ๐Ÿ“ˆBitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐Ÿ‘พ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles