NewSky Security’s researchers have discovered a new IoT botnet that targets smart devices. This botnet, called Doubledoor, is based on two known exploits to manage two levels of authentication. First, the botnet exploits a vulnerability on Juniper Networks (CVE-2015-7755) to bypass the firewall authentication. Then, a backdoor is created and will allow attackers to access Telnet and SSH firewall services. Afterwards, the botnet attempts to install a backdoor on Zyxel PK5001Z devices by exploiting a vulnerability present on the Zyxel modem (CVE-2016-10401).
This botnet is very difficult to detect by a malware detection software. Indeed, experts pointed out that unlike other IoT botnets such as Satori or Masuta, the DoubleDoor botnet doesn’t use a random character sequence in the recognition phase. The absence of a “standard” character sequence guarantees attackers their botnet will be very difficult to discover. However, Doubledoor sequence have the same number of characters as other botnets: 8 characters.
Doubledoor’s IoT attacks began to spread in January 2018. These attacks came mainly from South Korean IPs. Unlike Mirai or NotPetya, which infected thousands of smart devices and paralyzed several major sites, risks remain low. Indeed, the target ecosystem must have an uncorrected version of the Juniper ScreenOS firewall or vulnerable Zyxel modems.