Friday, March 29, 2024

DoubleDoor – An IoT Botnet Bypasses Firewall Using Backdoor Exploits

IoT Backdoor exploits called Doubledoor have been discovered which allows bypassing an IoT layered security that leads to taking complete control of the targeting network systems.

IoT based cyber Attacks are blooming since the number IoT devices are increasing rapidly and attackers always find the many ways to bypass it.

In this case, Doubledoor Botnet has an ability to bypass both authentication security with IoT and an Extra layer of security firewall that associated with it.

This botnet has rapid distribution has occurred during the time between 18th January 2018 until 27th January 2018 and the main origin of this attack was pointed to South Korean IPs.

Mainly affected users belong to the specific unpatched version of Juniper ScreenOS firewall which protects unpatched Zyxel modems.

Also Read HNS IoT Botnet Compromised More than 14k Devices that Spreads from Asia to the United States

How Does this Doubledoor IoT Backdoor Works

There are two backdoor exploits are the major responsibility for this IoT Attack and each one could exploit both layered security with Juniper Networks SmartScreen OS and Zyxel modem.

Initially, CVE-2015–7755 will exploit the vulnerability that is presented in infamous Juniper Networks SmartScreen OS that leads to gain the firewall authentication.

Once it succeeds it will use the CVE-2016–10401 and exploit the  Zyxel modem backdoor that allows an attacker to take full control of the device.

IoT Backdoor

The attacker performs straightforward access to the telnet and SSH daemons of Netscreen firewalls using a hardcoded password.

It was implemented in honeypots with username “NetScreen” and the backdoor password.

Accorinding to newskysecurity Honeypot Report,  the backdoor saga didn’t end here. After bypassing firewall protection, DoubleDoor used another backdoor on our honeypots.
This time it was CVE-2016–10401 , a backdoor for ZyXEL PK5001Z devices. This backdoor is straight forward too, with a hardcoded su password as zyad5001.

Attack also perform password-based attack since the CVE-2016–10401 is a privilege escalation exploit, also CVE-2016–10401 has been used in a plethora of IoT attacks since November 2017.

Also, Doubledoor IoT Backdoor using a randomized string in every attack to evade the static and dynamic based IoT attack detection.

In this case, Lack of any standard string will make sure it is not very easy to classify the recon activity as malicious.

Principal Researcher, NewSky Security” said, “Double layer of IoT protection is more common in corporate environments, which don’t rely on built-in IoT authentication and like to protect it with another layer of the firewall. Although such corporate devices can be lesser in number, getting control of corporate environment routers can be more valuable for an attacker as it can lead to targeted IoT attacks”

Website

Latest articles

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles