DoubleDoor: IoT Botnet bypasses firewall as well as modem security using two backdoor exploits

Within two years, IoT attacks have seen rapid evolution. We now see that IoT threats, which have already evolved from admin: admin attacks, to usage of exploits are evolving to not only bypass IoT authentication but they are also ready to fight an extra layer of security i.e. a firewall which protects the device. Consequently, if a security adept user has an authentication set for the specified IoT and protects it by firewall, both layers of security will be breached by this campaign, and the device’s control will be in the hands of the DoubleDoor botmasters.

The Backdoors

As observed in our honeypot logs, we saw that the attacks incorporate two known backdoor exploits to take care of two levels of authentications. At first CVE-2015–7755 is deployed to make use of the infamous Juniper Networks SmartScreen OS exploit, which essentially allows one to get past firewall authentication. Once succeeded, CVE-2016–10401 Zyxel modem backdoor exploit is deployed to take full control of the device. The entire attack cycle can be simplified in the diagram below.