June 7, 2023

Researchers have identified a spike in attacks attempting to exploit the Ruckus Wireless Admin remote code execution by a botnet known to be AndoryuBot.

The vulnerability tracked as CVE-2023-25717. The bot supports multiple DDoS attack techniques and uses SOCKS5 proxies for C2 communications. The issue affects Ruckus Wireless Admin version 10.4 and earlier used by multiple Ruckus wireless Access Point devices.

A remote, unauthenticated attacker can exploit the vulnerability to execute arbitrary code and take complete control of a vulnerable device.

Advertisements

Reasearchers noted that a Proof-of-Concept code for this vulnerability is publicly available and urges owners to install the patch as soon as possible.

Once after compromising a device, the bot downloads a script from the URL http[:]//163[.]123[.]142[.]146 for further propagation. It begins communicating with its C2 server via the SOCKS protocol. In a very short time, it is updated with additional DDoS methods and awaits attack commands.

The variant analyzed by the researchers targets multiple architectures, including arm, m68k, mips, mpsl, sh4, spc, and x86.

AndoryuBot supports 12 DDoS attack methods: tcp-raw, tcp-socket, tcp-cnc, tcp-handshake, udp-plain, udp-game, udp-ovh, udp-raw, udp-vse, udp-dstat, udp-bypass, and icmp-echo.

Advertisements

Once the bot receives the attack command, it starts a DDoS attack on a specific IP address and port number. This bot is soled through Telegram channel

This research was documented by researchers from FortiLabs.

Indicators of Compromise

C2:

  • 163[.]123[.]142[.]146
  • 45[.]153[.]243[.]39

Files:

  • ea064dd91d8d9e6036e99f5348e078c43f99fdf98500614bffb736c4b0fff408
  • f42c6cea4c47bf0cbef666a8052633ab85ab6ac5b99b7e31faa1e198c4dd1ee1
  • 3441e88c80e82b933bb09e660d229d74f7b753a188700fe018e74c2db7b2aaa0
  • 3c9998b8451022beee346f1afe18cab84e867b43c14ba9c7f04e5c559bfc4c3a
  • b71b4f478479505f1bfb43663b4a4666ec98cd324acb16892ecb876ade5ca6f9
  • e740a0d2e42c09e912c43ecdc4dcbd8e92896ac3f725830d16aaa3eddf07fd5c
  • 4fe4cff875ef7f8c29c95efe71b92ed31ed9f61eb8dfad448259295bd1080aca
  • 2e7136f760f04b1ed7033251a14fef1be1e82ddcbff44dae30db12fe52e0a78a
  • 1298da097b1c5bdce63f580e14e2c1b372c409476747356a8e9cfaf62b94513d
  • 55e921a196c92c659305aa9de3edf6297803b60012f83967562a57547875fec1
Tags:

Leave a Reply

You may have missed

Microsoft to comply with LinkedIn GDPR Violation

Microsoft to comply with LinkedIn GDPR Violation

June 7, 2023
Google Fixes Third Chrome Zeroday

Google Fixes Third Chrome Zeroday

June 6, 2023
Moveit Attributed to Lace Tempest

Moveit Attributed to Lace Tempest

June 6, 2023
Byte Code Bites PYPI

Byte Code Bites PYPI

June 5, 2023
Enzo Biochem Suffers a Data Breach

Enzo Biochem Suffers a Data Breach

June 5, 2023
BlackSuit Ransomware Dissection

BlackSuit Ransomware Dissection

June 4, 2023
%d bloggers like this: