Within two years, IoT attacks have seen rapid evolution. We now see that IoT threats, which have already evolved from admin: admin attacks, to usage of exploits are evolving to not only bypass IoT authentication but they are also ready to fight an extra layer of security i.e. a firewall which protects the device. Consequently, if a security adept user has an authentication set for the specified IoT and protects it by firewall, both layers of security will be breached by this campaign, and the device’s control will be in the hands of the DoubleDoor botmasters.
As observed in our honeypot logs, we saw that the attacks incorporate two known backdoor exploits to take care of two levels of authentications. At first CVE-2015–7755 is deployed to make use of the infamous Juniper Networks SmartScreen OS exploit, which essentially allows one to get past firewall authentication. Once succeeded, CVE-2016–10401 Zyxel modem backdoor exploit is deployed to take full control of the device. The entire attack cycle can be simplified in the diagram below.
CVE-2015–7755 is a backdoor in Juniper Networks’ ScreenOS software that powers their Netscreen firewalls. The implementation of this backdoor is straight forward. Essentially the telnet and SSH daemons of Netscreen firewalls can be accessed by using the hardcoded password <<< %s(un=’%s’) = %u with any username, regardless of it being valid or not. We saw its implementation in the initial attack cycle of DoubleDoor as it attacked our honeypots with username “netscreen” and the backdoor password.
read more at newskysecurity.com