AndoryuBot Explits RCE Bug to Conduct DDoS Attack
Researchers have identified a spike in attacks attempting to exploit the Ruckus Wireless Admin remote code execution by a botnet known to be AndoryuBot.
The vulnerability tracked as CVE-2023-25717. The bot supports multiple DDoS attack techniques and uses SOCKS5 proxies for C2 communications. The issue affects Ruckus Wireless Admin version 10.4 and earlier used by multiple Ruckus wireless Access Point devices.
A remote, unauthenticated attacker can exploit the vulnerability to execute arbitrary code and take complete control of a vulnerable device.
Reasearchers noted that a Proof-of-Concept code for this vulnerability is publicly available and urges owners to install the patch as soon as possible.
Once after compromising a device, the bot downloads a script from the URL http[:]//163[.]123[.]142[.]146 for further propagation. It begins communicating with its C2 server via the SOCKS protocol. In a very short time, it is updated with additional DDoS methods and awaits attack commands.
The variant analyzed by the researchers targets multiple architectures, including arm, m68k, mips, mpsl, sh4, spc, and x86.
AndoryuBot supports 12 DDoS attack methods: tcp-raw, tcp-socket, tcp-cnc, tcp-handshake, udp-plain, udp-game, udp-ovh, udp-raw, udp-vse, udp-dstat, udp-bypass, and icmp-echo.
Once the bot receives the attack command, it starts a DDoS attack on a specific IP address and port number. This bot is soled through Telegram channel
This research was documented by researchers from FortiLabs.
Indicators of Compromise