DoubleDoor – An IoT Botnet Bypasses Firewall Using Backdoor Exploits

IoT Backdoor exploits called Doubledoor have been discovered which allows bypassing an IoT layered security that leads to taking complete control of the targeting network systems.

IoT based cyber Attacks are blooming since the number IoT devices are increasing rapidly and attackers always find the many ways to bypass it.

In this case, Doubledoor Botnet has an ability to bypass both authentication security with IoT and an Extra layer of security firewall that associated with it.

This botnet has rapid distribution has occurred during the time between 18th January 2018 until 27th January 2018 and the main origin of this attack was pointed to South Korean IPs.

Mainly affected users belong to the specific unpatched version of Juniper ScreenOS firewall which protects unpatched Zyxel modems.

Also Read HNS IoT Botnet Compromised More than 14k Devices that Spreads from Asia to the United States

How Does this Doubledoor IoT Backdoor Works

There are two backdoor exploits are the major responsibility for this IoT Attack and each one could exploit both layered security with Juniper Networks SmartScreen OS and Zyxel modem.

Initially, CVE-2015–7755 will exploit the vulnerability that is presented in infamous Juniper Networks SmartScreen OS that leads to gain the firewall authentication.

Once it succeeds it will use the CVE-2016–10401 and exploit the  Zyxel modem backdoor that allows an attacker to take full control of the device.

• CVE-2015–7755 –  backdoor in Juniper Networks ScreenOS
• CVE-2016–10401 -a backdoor for ZyXEL PK5001Z devices

The attacker performs straightforward access to the telnet and SSH daemons of Netscreen firewalls using a hardcoded password.

It was implemented in honeypots with username “NetScreen” and the backdoor password.

Accorinding to newskysecurity Honeypot Report,  the backdoor saga didn’t end here. After bypassing firewall protection, DoubleDoor used another backdoor on our honeypots.

This time it was CVE-2016–10401 , a backdoor for ZyXEL PK5001Z devices. This backdoor is straight forward too, with a hardcoded su password as zyad5001.

Attack also perform password-based attack since the CVE-2016–10401 is a privilege escalation exploit, also CVE-2016–10401 has been used in a plethora of IoT attacks since November 2017.

Also, Doubledoor IoT Backdoor using a randomized string in every attack to evade the static and dynamic based IoT attack detection.

In this case, Lack of any standard string will make sure it is not very easy to classify the recon activity as malicious.

Principal Researcher, NewSky Security” said, “Double layer of IoT protection is more common in corporate environments, which don’t rely on built-in IoT authentication and like to protect it with another layer of the firewall. Although such corporate devices can be lesser in number, getting control of corporate environment routers can be more valuable for an attacker as it can lead to targeted IoT attacks”