Thursday, October 10, 2024
HomeBackdoorDoubleDoor - An IoT Botnet Bypasses Firewall Using Backdoor Exploits

DoubleDoor – An IoT Botnet Bypasses Firewall Using Backdoor Exploits

Published on

IoT Backdoor exploits called Doubledoor have been discovered which allows bypassing an IoT layered security that leads to taking complete control of the targeting network systems.

IoT based cyber Attacks are blooming since the number IoT devices are increasing rapidly and attackers always find the many ways to bypass it.

In this case, Doubledoor Botnet has an ability to bypass both authentication security with IoT and an Extra layer of security firewall that associated with it.

- Advertisement - EHA

This botnet has rapid distribution has occurred during the time between 18th January 2018 until 27th January 2018 and the main origin of this attack was pointed to South Korean IPs.

Mainly affected users belong to the specific unpatched version of Juniper ScreenOS firewall which protects unpatched Zyxel modems.

Also Read HNS IoT Botnet Compromised More than 14k Devices that Spreads from Asia to the United States

How Does this Doubledoor IoT Backdoor Works

There are two backdoor exploits are the major responsibility for this IoT Attack and each one could exploit both layered security with Juniper Networks SmartScreen OS and Zyxel modem.

Initially, CVE-2015–7755 will exploit the vulnerability that is presented in infamous Juniper Networks SmartScreen OS that leads to gain the firewall authentication.

Once it succeeds it will use the CVE-2016–10401 and exploit the  Zyxel modem backdoor that allows an attacker to take full control of the device.

IoT Backdoor

The attacker performs straightforward access to the telnet and SSH daemons of Netscreen firewalls using a hardcoded password.

It was implemented in honeypots with username “NetScreen” and the backdoor password.

Accorinding to newskysecurity Honeypot Report,  the backdoor saga didn’t end here. After bypassing firewall protection, DoubleDoor used another backdoor on our honeypots.
This time it was CVE-2016–10401 , a backdoor for ZyXEL PK5001Z devices. This backdoor is straight forward too, with a hardcoded su password as zyad5001.

Attack also perform password-based attack since the CVE-2016–10401 is a privilege escalation exploit, also CVE-2016–10401 has been used in a plethora of IoT attacks since November 2017.

Also, Doubledoor IoT Backdoor using a randomized string in every attack to evade the static and dynamic based IoT attack detection.

In this case, Lack of any standard string will make sure it is not very easy to classify the recon activity as malicious.

Principal Researcher, NewSky Security” said, “Double layer of IoT protection is more common in corporate environments, which don’t rely on built-in IoT authentication and like to protect it with another layer of the firewall. Although such corporate devices can be lesser in number, getting control of corporate environment routers can be more valuable for an attacker as it can lead to targeted IoT attacks”

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...

Wireshark 4.4.1 Released, What’s new!

Wireshark, the world’s leading network protocol analyzer, has just released version 4.4.1, bringing a...

Multiple VMware NSX Vulnerabilities Let Attackers Gain Root Access

VMware has disclosed multiple vulnerabilities in its NSX product line that could potentially allow...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...

Multiple VMware NSX Vulnerabilities Let Attackers Gain Root Access

VMware has disclosed multiple vulnerabilities in its NSX product line that could potentially allow...

CISA Warns of Fortinet & Ivanti Vulnerabilities Exploited in Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities...