DoubleDoor Botnet Uses Two Exploits to Bypass Firewalls and Modem Security

Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol 3D illustration cybersecurity concept

Security researchers have identified a new IoT botnet, DoubleDoor, which has the ability to bypass firewall through two backdoor exploits.

In recent years, there has been a massive revolution in IoT attacks. As the discovery of the most recent IoT threat indicates, they have slowly graduated from the former admin attacks to using exploits that are not only able to bypass typical authentication but are also ready to bring down extra security layers safeguarding a device from such hacks.

Even if a security-savvy user has installed a unique authentication code and further fortified the device with a firewall, some malware will, unfortunately, breach this seemingly solid security plan. One such malware program is DoubleDoor.

Discovered by NewSky Security, DoubleDoor is a new botnet that uses two exploits to subsequently bypass authentication procedures while also nullifying additional security features on the targeted devices.

With this new discovery, attackers and malicious individuals can assume complete control of targeted devices with ease, even in cases where the user has put in place specific authentication provisions or even incorporated a firewall.

In particular, this botnet affects CVE-2015-7755 (a SmartScreen OS exploit of Juniper Networks), together with CVE-2016-10401, a backdoor exploit of the Zyxel modem (which the Hide N’ Seek botnet also surprisingly abuses).

According to a NewSky Security report, the botnet begins its campaign by setting out the Juniper Networks exploits to subsequently bypass the firewall authentication procedure of the target device.

By using this particular backdoor, the attackers have complete access to the target device’s telnet NetScreen and SSH firewall. The attackers use an exclusive hardcoded password “<<< %s (un=’%s’) = %u” together with a random username that isn’t required to be authentic.

The DoubleDoor botnet performs its attack cycle using the invalidated username. As soon as this process is completed, the botnet deploys the Zyxel backdoor to precisely target PK5001Z devices.

Unlike other processes, this one is a direct exploit which involves the use of the hardcoded password, “zyad5001.”

With this exploit, attackers are able to gain exclusive and advanced privileges on the targeted device. What’s more, the attackers using this exploit are also identified as undertaking an exclusive “password-based attack” which affords them access to a basic privilege account like the admin: CenturyL1nk. This is before they head for the subsequent “superuser.”

Reconnaissance and Polymorphism

Businessman offer iot icon with wireless symbol and tech devices network. Internet of things concept. IoT solution represent, symbol connected. Intelligent house, car, laptop, watch, smartphone

In recent years, there has been a massive revolution in IoT attacks.

The DoubleDoor botnet executes reconnaissance to ascertain that the targeted IoT device is fully compromised and that the attack is nothing but successful.

Reconnaissance is a common phase with numerous malware campaigns (including typical IoT attacks).

Overall, it is a procedure where after the attackers have completed their attack mission, they seek verification to ascertain the success of the malware campaign.

To do this, they attempt to invoke invalid commands to the shell. If they succeed, it will indicate “{string}: applet not found” with {string} as the invalid command.

DoubleDoor Botnet Can Bypass Firewall

NewSky researchers identified that the DoubleDoor botnet makes use of a randomized string with each attack. Because of the absence of the standard string, it becomes difficult to pinpoint the recon operation as malicious. Nonetheless, one common feature of the strings is that they are generally eight units long, which is the only mutual characteristic with the strings.

Researchers generally believe that this botnet is in its nascent phase. The cited attacks happened between January 18 and 27 this year. Many of these cases originated from South Korea-based IPs.

Nonetheless, despite their purported and potential threat, these attacks are however expected to remain on a low. This is because the success of these attacks is efficient only if the targeted devices run an explicit unpatched version of the Juniper ScreenOS firewall and make use of unpatched Zyxel modems.

According to the researchers, the fortified double layer of IoT protection is most common in corporate settings that are not dependent on in-built authentications and usually prefer to safeguard their devices with another firewall layer.

And while the likes of such corporate devices can be fewer in number, the researchers note that accessing and achieving complete control of corporate-affiliated routers can be of more value to an attacker than typical routers since it can result in exclusive targeted IoT attacks.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.