Critical Ruckus RCE Flaw Exploited By New DDoS Botnet Malware
Cyber Security Threat Summary:
A new malware botnet named 'AndoryuBot' is targeting a critical-severity flaw in the Ruckus Wireless Admin panel to infect unpatched Wi-Fi access points for use in DDoS attacks. Tracked as CVE-2023-25717, the flaw impacts all Ruckus Wireless Admin panels version 10.4 and older, allowing remote attackers to perform code execution by sending unauthenticated HTTP GET requests to vulnerable devices. The flaw was discovered and fixed on February 8, 2023. Still, many have not applied the available security updates, while end-of-life models impacted by the security problem will not get a patch”.
Security Officer Comments:
AndoryuBot has been around since February 2023. The malware is known for infecting vulnerable devices via malicious HTTP GET requests and downloading additional scripts from a hardcoded URL for further propagation. According to Fortinet, a new variant of AndoryuBot was uncovered in mid-April which targets Ruckus devices. The variant is capable of targeting several system architectures, including x86, arm, spc, m68k, mips, sh4, mps1. After an successful infection, the malware will establish communication with the C2 server via the SOCKS proxying protocol to bypass firewalls and further wait for commands.
“The malware will receive commands from the command and control server that tell it the DDoS type, the target IP address, and the port number to attack. The malware's operators rent their firepower to other cybercriminals who want to launch DDoS attacks, accepting cryptocurrency payments (XMR, BTC, ETH, USDT, CashApp) for their services. Fortinet says the weekly rent prices range from $20 for a single-connection 90-second attack using all available bots launched 50 times a day to $115 for a double-connection 200-second attack using all available bots to launch 100 attacks daily” (Bleeping Computer, 2023).
Suggested Corrections:
To prevent botnet malware infections, apply available firmware updates, use strong device administrator passwords, and disable remote admin panel access if not needed.
Link(s):
https://www.bleepingcomputer.com/