Discovered by NewSky Security researchers, DoubleDoor is an IoT botnet that is capable of bypassing firewall and modem security using two backdoor exploits to manage two layers of authentication. To infect devices, DoubleDoor first exploits CVE-2015-7755 to bypass Juniper Networks' Netscreen firewalls in order to scan the internal network for the presence of ZyXEL PK5001Z or ZyXEL PK5001Z routers. Once these routers are located, DoubleDoor exploits CVE-2016-10401, using admin:CenturyL1nk or other credentials to gain access and then gains full control/super-user access by applying the password zyda5001. Early reports indicate that the botnet is small and initial exploitation attempts by DoubleDoor have originated from South Korea. Additionally, based on the types of devices this botnet can exploit, researchers believe that the botnet creator may be specifically targeting corporations. The functions of this botnet beyond propagating the infection are currently unknown.
Reporting and Technical Details:
- February 2018: DoubleDoor: IoT Botnet bypasses firewall as well as modem security using two backdoor exploits (NewSky Security)
- February 2018: DoubleDoor Botnet Chains Exploits to Bypass Firewalls (Bleeping Computer)
Image Source: NewSky Security