On December 17th, 2015 Juniper issued an advisory indicating that they had discovered unauthorized code in the ScreenOS software that powers their Netscreen firewalls. This advisory covered two distinct issues; a backdoor in the VPN implementation that allows a passive eavesdropper to decrypt traffic and a second backdoor that allows an attacker to bypass authentication in the SSH and Telnet daemons. There are speculations that the backdoor was installed by “State Sponsored” actors. Shortly after Juniper posted the advisory, an employee of Fox-IT stated that they were able to identify the backdoor password in six hours. (So much for Government efficiency hiding their actions)
If anyone needs a proof that once a vulnerability is disclosed, it will be used in the wild, see the graph below. It is showing the detection rate of SSH-born attacks on one of our Data Center Security Suite sensors, deployed in a public cloud facing the internet.
The statistics screen is showing the rate of SSH attacks in the past two weeks.
SSH statistics from Guardicore
