New IoT Botnet DoubleDoor use two flaws to bypass firewall
According to bleepingcomputer media reports, hackers are building a unique botnet, for the first time bundled two attacks, trying to bypass the corporate firewall and infected devices. According to researchers at NewSky Security, the botnet was “cleverly” named DoubleDoor. Ankit Anubhav, a lead security researcher at News Security, said DoubleDoor malware is trying to exploit two later attacks, as shown below:
CVE-2015–7755 – backdoor in Juniper Networks’ ScreenOS software. Attackers can use the hardcoded password <<< %s(un=’%s’) = %u password with any username to access a device via Telnet and SSH.
CVE-2016–10401 – backdoor in ZyXEL PK5001Z routers. Attackers can use admin:CenturyL1nk (or other) and then gain super-user access with the password zyad5001 to gain control over the device.
He disclosed that DoubleDoor attackers will use the first vulnerability to bypass the Juniper Netscreen firewall and then use the second vulnerability to scan the internal network for ZyXEL routing.
In an interview with foreign media, Anubhav said it was the first time the IoT botnet had linked the two vulnerabilities and used it to infect the device. He said:
“For the first time, we saw an IoT botnet doing two layers of attacks, and was even ready to get past a firewall. Such multiple layers of attack/evasion are usually a Windows thing.”
“Satori/Reaper have used exploits, but those are exploits for one level of attack for various devices. If the attacker finds a Dlink device, then it uses this exploit; if it finds a Huawei device, then that exploit.”
Anubhav believes that the vast majority of the Internet of Things malware in the past to succeed, mainly because of the logic of the development of the device is too simple.
The DoubleDoor botnet does not seem to pose a serious threat yet
During January 18-27, based on an analysis of the botnet’s attack, researchers found that the hacker’s IP addresses came from South Korea.
However, Anubhav said the current botnet has not yet posed a serious threat and DoubleDoor is still in its infancy, so they are still “working.” He said:
“The attacks are less in number when compared to Mirai, Satori, Asuna, or Daddyl33t”
According to NewSky security experts, the main reason for the current small size of the attacks may be that they target only a small number of devices, such as the Internet-facing ZyXEL PK5001Z routers, or ZyXEL PK5001Z routers protected by an enterprise Juniper Netscreen firewall.
