Daily Briefing for 03.13.25

At a glance.

• Chinese threat actor targets Juniper routers.
• CISA issues advisory on Medusa ransomware.
• Facebook warns of actively exploited FreeType vulnerability.

Chinese threat actor targets Juniper routers.

Mandiant warns that the China-aligned threat actor UNC3886 last year deployed new custom malware on Juniper Networks’ Junos OS routers. The TINYSHELL-based backdoors "had varying custom capabilities, including active and passive backdoor functions, as well as an embedded script that disables logging mechanisms on the target device." The infected routers were running end-of-life hardware and software, and Mandiant recommends that organizations "upgrade their Juniper devices to the latest images released by Juniper Networks, which includes mitigations and updated signatures for the Juniper Malware Removal Tool (JMRT)."

Juniper released its own advisory on the campaign, stating, "We identified two generic Remote Access Toolkits, jdosd and irad. A Local Access Toolkit (lmpad) was also discovered that appears to be specifically engineered to attack Junos OS devices. Finally, three more implants—appid, to, and oemd—are RATs based on the TinyShell UNIX backdoor. All these implants are designed for the exact same purpose, to provide persistent backdoors on long-running Junos OS devices."

CISA issues advisory on Medusa ransomware.

The US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and MS-ISAC have issued a joint advisory on the Medusa ransomware-as-a-service (RaaS) offering, warning that Medusa affiliates "have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing." Medusa actors carry out double-extortion attacks, exfiltrating data before encrypting it in order to place additional pressure on the victim.

The advisory outlines one instance that potentially involved "triple extortion," in which a victim who had already paid the ransom was contacted by another Medusa affiliate who claimed the negotiator had stolen the ransom payment. The affiliate demanded an additional payment in order to provide the decryption key.

Facebook warns of actively exploited FreeType vulnerability.

Facebook has disclosed an actively exploited out-of-bounds write vulnerability affecting the open-source font rendering library FreeType, BleepingComputer reports. The flaw, tracked as CVE-2025-27363, can lead to arbitrary code execution.

Facebook explains, "An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer."