Recent network monitoring data from the SANS Institute has revealed a significant surge in scanning activities targeting Juniper Networks’ Session Smart Router (SSR) platforms. Between March 23 and March 28, 2025, approximately 3,000 unique IP addresses were detected attempting to exploit default factory-set credentials associated with these devices.
Details of the Scanning Campaign
The SANS Institute reported that during this period, there was a dramatic increase in scanning activities aimed at SSR devices using the default username t128 and password 128tRoutes. These credentials are the factory defaults for Juniper’s Session Smart Networking Platform, and many administrators neglect to change them after deployment.
The scanning activity exhibited a sharp rise starting on March 23, peaking shortly thereafter, and then rapidly declining after March 28. This pattern suggests a highly coordinated and automated campaign designed to identify and potentially compromise vulnerable devices.
Background on Default Credentials
The default credentials in question originate from Juniper’s acquisition of 128 Technology in 2020 for $450 million. Following the acquisition, Juniper integrated 128 Technology’s session-smart networking capabilities into its product portfolio, rebranding it as the Session Smart Router (SSR) platform. Despite the rebranding, several original configurations, including the default authentication credentials, were retained.
According to Juniper’s official documentation, two default accounts are created during SSR installation:
– Username: root | Password: 128tRoutes
– Username: t128 | Password: 128tRoutes
These default credentials are publicly documented, making them widely known to both legitimate administrators and potential attackers.
Connection to Mirai Botnet Operations
Security experts believe that these scanning activities are linked to Mirai botnet operations. In December 2024, Juniper Networks issued a warning that Mirai botnet malware campaigns were targeting SSR products with default passwords. Once compromised, infected systems can be enlisted into botnets, which are then used to launch distributed denial-of-service (DDoS) attacks against other targets.
The Mirai malware is known for scanning networks to identify devices with default credentials, making unaltered SSR installations prime targets. The malware’s SSH scanner employs a credential dictionary containing common default passwords to facilitate unauthorized access.
Recent Vulnerabilities and Patches
This scanning campaign follows Juniper’s February 2025 patching of a critical authentication bypass vulnerability (CVE-2025-21589) affecting the SSR platform. This vulnerability allowed attackers to bypass authentication and gain administrative control of devices. While Juniper stated that no evidence of exploitation was found at the time, the current scanning campaign may be attempting to identify both unpatched systems and those still using default credentials.
Mitigation Recommendations
Security experts strongly advise SSR administrators to take the following actions:
1. Change Default Passwords: Immediately change default passwords for both the root and t128 accounts using the documented password change procedures.
2. Restrict SSH Access: Limit SSH access from arbitrary internet sources to reduce exposure to potential attacks.
3. Implement Strong, Unique Passwords: Use strong, unique passwords rather than predictable patterns to enhance security.
4. Update Firmware: Ensure all SSR installations are updated to the latest patched versions to protect against known vulnerabilities.
5. Monitor Network Logs: Regularly monitor network logs for unusual SSH login attempts and port scanning activity to detect potential intrusion attempts.
If a compromise is suspected, Juniper recommends completely reimaging the affected system to ensure that any unauthorized access or malware is fully removed.
Conclusion
The recent surge in scanning activities targeting Juniper’s Session Smart Routers underscores the critical importance of changing default credentials and keeping systems updated. Administrators must remain vigilant and proactive in implementing security best practices to protect their networks from potential exploitation.
