A new Internet of Things (IoT) botnet campaign dubbed as DoubleDoor has been discovered by NewSky Security, which uses two exploits for bypassing authentication procedures on victim devices and also nullify additional security features.
In this campaign, attackers can easily take full control of the targeted devices despite the user has enabled authentication or added a firewall. The malware specifically targets the CVE-2015–7755 exploits, an infamous Juniper Networks exploit that was identified in the SmartScreen OS running on NetScreen firewalls along with Zyxel modem backdoor exploit CVE-2016–10401.
According to NewSky Security’s blog post, the botnet starts its malicious operation by deploying the Juniper Networks exploit to bypass the firewall authentication process. Using this backdoor the attackers are able to access the SSH and telnet NetScreen firewalls through hardcoded password “<<< %s(un=’%s’) = %u ” and a random username without needing it to be valid. The attack cycle of DoubleDoor gets implemented using the username netscreen. Once this is done, the botnet deploys the Zyxel backdoor for PK5001Z devices. This is a straightforward exploit that involves using hardcoded su password “zyad5001.”
Through this exploit, attackers can gain escalated privileges on the device. The attackers are also noted to be performing a “password-based attack,” that allows them to gain a basic privilege account such as the admin: CenturyL1nk prior to heading for the superuser. Moreover, the botnet also performs reconnaissance to make sure that the attack is successful and the targeted IoT device has been compromised.
NewSky researchers wrote in their blog that the botnet uses a randomized string in each attack since the standard string is absent therefore it becomes difficult to classify that the recon operation is malicious. However, it is noted that the strings are always 8 in length, which is the only common feature. Researchers also believe that the botnet is in its nascent phase. The attacks occurred between January 18 and January 27, 2018, and a majority of them originated from South Korean IPs. The attacks are effective only if a specific, unpatched version of ScreenOS firewalled unpatched Zyxel modems are installed.
As per the researchers, double layer IoT protection is quite common in corporate entities as these never rely upon built-in IoT authentication and usually, they implement an additional layer of protection through the firewall.
“Although such corporate devices can be lesser in number, getting control of corporate environment routers can be more valuable for an attacker as it can lead to targeted IoT attacks,” wrote the researchers.
Update: 2:39 AM Saturday, February 17, 2018 (UTC)
In an email to HackRead, Mr. Ruben Landeros Jr., Director of Information Technology at Zyxel has revealed that “The vulnerability has been corrected through a solution that we have already deployed to our customers in Dec 2017.”
Feature image via DepositPhotos