Monday, January 13, 2025
HomeBackdoorDoubleDoor - An IoT Botnet Bypasses Firewall Using Backdoor Exploits

DoubleDoor – An IoT Botnet Bypasses Firewall Using Backdoor Exploits

Published on

IoT Backdoor exploits called Doubledoor have been discovered which allows bypassing an IoT layered security that leads to taking complete control of the targeting network systems.

IoT based cyber Attacks are blooming since the number IoT devices are increasing rapidly and attackers always find the many ways to bypass it.

In this case, Doubledoor Botnet has an ability to bypass both authentication security with IoT and an Extra layer of security firewall that associated with it.

This botnet has rapid distribution has occurred during the time between 18th January 2018 until 27th January 2018 and the main origin of this attack was pointed to South Korean IPs.

Mainly affected users belong to the specific unpatched version of Juniper ScreenOS firewall which protects unpatched Zyxel modems.

Also Read HNS IoT Botnet Compromised More than 14k Devices that Spreads from Asia to the United States

How Does this Doubledoor IoT Backdoor Works

There are two backdoor exploits are the major responsibility for this IoT Attack and each one could exploit both layered security with Juniper Networks SmartScreen OS and Zyxel modem.

Initially, CVE-2015–7755 will exploit the vulnerability that is presented in infamous Juniper Networks SmartScreen OS that leads to gain the firewall authentication.

Once it succeeds it will use the CVE-2016–10401 and exploit the  Zyxel modem backdoor that allows an attacker to take full control of the device.

IoT Backdoor

The attacker performs straightforward access to the telnet and SSH daemons of Netscreen firewalls using a hardcoded password.

It was implemented in honeypots with username “NetScreen” and the backdoor password.

Accorinding to newskysecurity Honeypot Report,  the backdoor saga didn’t end here. After bypassing firewall protection, DoubleDoor used another backdoor on our honeypots.
This time it was CVE-2016–10401 , a backdoor for ZyXEL PK5001Z devices. This backdoor is straight forward too, with a hardcoded su password as zyad5001.

Attack also perform password-based attack since the CVE-2016–10401 is a privilege escalation exploit, also CVE-2016–10401 has been used in a plethora of IoT attacks since November 2017.

Also, Doubledoor IoT Backdoor using a randomized string in every attack to evade the static and dynamic based IoT attack detection.

In this case, Lack of any standard string will make sure it is not very easy to classify the recon activity as malicious.

Principal Researcher, NewSky Security” said, “Double layer of IoT protection is more common in corporate environments, which don’t rely on built-in IoT authentication and like to protect it with another layer of the firewall. Although such corporate devices can be lesser in number, getting control of corporate environment routers can be more valuable for an attacker as it can lead to targeted IoT attacks”

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...

CISA Released A Free Guide to Enhance OT Product Security

To address rising cyber threats targeting critical infrastructure, the U.S. Cybersecurity and Infrastructure Security...

Microsoft Warns of MFA Issue Affecting Microsoft 365 users

Microsoft has issued a warning regarding an ongoing issue with Multi-Factor Authentication (MFA) that...

RedCurl APT Deploys Malware via Windows Scheduled Tasks Exploitation

Researchers identified RedCurl APT group activity in Canada in late 2024, where the attackers...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

PoC Exploit Released for Critical macOS Sandbox Vulnerability (CVE-2024-54498)

A proof-of-concept (PoC) exploit has been publicly disclosed for a critical vulnerability impacting macOS...

IBM Robotic Process Automation Vulnerability Let Attackers Obtain Sensitive Data

A newly disclosed security vulnerability in IBM Robotic Process Automation (RPA) has raised concerns about potential...

IBM Watsonx.ai Vulnerability Let Attackers Trigger XSS Attacks

A recently disclosed vulnerability, identified as CVE-2024-49785, has been found in IBM watsonx.ai, including its...