Security researchers have uncovered new malware that uses two backdoors to infect IoT devices in order to create a botnet.
Dubbed DoubleDoor, the malware was spotted by researchers at NewSky Security. It uses two exploits for bypassing authentication procedures on an IoT device, and also defeats additional security features, they said.
The malware targets a vulnerability, tracked as CVE-2015-7755, to make use of the Juniper Networks SmartScreen OS exploit, which allows attackers to get past firewall authentication.
After that, the CVE-2016-10401 Zyxel modem backdoor exploit is deployed to take full control of the device, by first obtaining a basic privilege account, and then going for the superuser.
Successful IoT attack
The botnet carries out reconnaissance to make sure that the attack was successful in getting control of the IoT device.
According to researchers, the malware randomised strings in every attack to avoid being detected, as the lack of a standard string makes it harder to classify the recon activity as malicious. However, the strings have one thing in common: they are always 8 characters in length.
Researchers believe that the botnet is in its nascent phase. The attacks occurred between January 18 and January 27, 2018, with a majority of them originating from South Korean IPs.
“DoubleDoor attacks are expected to be low as the hack will succeed only if the victim has a specific unpatched version of Juniper ScreenOS firewall, which protects unpatched Zyxel modems,” said NewSky researchers.
They added that double-layer IoT protection is common in corporate environments, which often don’t rely on built-in IoT authentication and prefer to protect devices with another layer of firewall.
“Although such corporate devices can be lesser in number, getting control of corporate-environment routers can be more valuable for an attacker as it can lead to targeted IoT attacks,” said Ankit Anubhav, principal researcher at NewSky Security.