Juniper Networks: Surge in threat actors scanning Juniper, Cisco, and Palo Alto Networks devices

A surge in internet probes targeting devices from Juniper Networks, Cisco Systems, and Palo Alto Networks should put their admins on alert, say security experts.A threat actor is probing the internet using default credentials for a Juniper Networks router, prompting a cybersecurity expert to warn network admins to change the login combo from the factory setting if they haven't already done so."It's sad [that a major networking company is still using a default username and password in 2025] for big, expensive products like this," Johannes Ullrich, dean of research at the SANS Institute, who noticed the surge in scans for the username "t128" and password "128tRoutes," said in an interview.This, he said, is a well-known default account for Juniper's Session Smart Networking Platform (or "SSR" for "Session Smart Routing"). "Sophisticated admins should know better [than to allow the use of default passwords]", he added.The probing took place over seven days late last month. This was a random internet scan, Ullrich said, but it would only work for this particular Juniper device if the default credentials hadn't been changed.In late 2020, Juniper announced it had struck a deal to buy the software-defined router's creator, 123 Technology, for US$450 million. Much of the product, including the default usernames and passwords, remained unchanged after the acquisition, Ullrich said in a blog."It looks like just a random botnet," he said of the login attempts. "I have not captured the actual payload that would execute on successfully logging in, but I suspect it's some sort of cryptominer or Mirai [botnet] derivative. It doesn't look like anything especially sophisticated."Juniper was asked for comment, but no response had been received by press time.Exploit attempts on Cisco devicesAt least Juniper has documented the fact that there is a default password, and admins of the SSR device have been told by Juniper to change the default credentials, Ullrich said. In contrast, Cisco Systems customers may have been caught off guard when they learned last September there was a vulnerability that exposed a fixed password and log file through its Smart Licensing Utility software.They learned about it when Cisco disclosed two critical vulnerabilities and issued a patch. However, last month Ullrich discovered someone is trying to exploit the holes in unpatched devices. And earlier this week, Cisco issued an update to its September alert confirming reports of attempted exploitation. Cisco continues to strongly recommend that customers upgrade to a patched software release to remediate this vulnerability.Cybersecurity experts and governments have urged manufacturers for years to stop selling products with default passwords. As far back as 2016, the U.S. Cybersecurity and Infrastructure Security Agency issued an alert on the risks.And it's not that hard for manufacturers and application developers to avoid default passwords, Ullrich added. Some manufacturers of internet-connected consumer devices now place stickers on the back with a custom password. Another option is to have no default passwords for products, so the user has to create their own credentials when first logging in.Scanning for Palo Alto Networks portalsMeanwhile, researchers at GreyNoise this week reported seeing a recent significant surge in login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals. GlobalProtect is an endpoint application that allows employees to access a company's resources remotely.Over the last 30 days, nearly 24,000 unique IP addresses have attempted to access these portals, the researchers said. "The pattern suggests a co-ordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation," they said, suggesting a threat actor has discovered a new vulnerability.The report doesn't say if the scanning was accompanied by login attempts.Most of the traffic came from the United States (16,249 IP addresses) and Canada (5,823), followed by Finland, Netherlands, and Russia. However, threat actors are known to disguise their bases by leveraging compromised servers in other countries.The overwhelming majority of traffic targeted systems in the United States (23,768), with smaller volumes directed toward the United Kingdom, Ireland, Russia, and Singapore. The spike began on March 17, the report says, with activity peaking at nearly 20,000 unique IPs per day and remaining steady until March 26 before tapering off. Most of the activity is suspicious, with a smaller subset flagged as malicious."The consistency of this activity suggests a planned approach to testing network defenses," says the report, "potentially paving the way for exploitation. Organizations using Palo Alto Networks products should take steps to secure their login portals," the researchers said.