December 5, 2023

Researchers have identified a spike in attacks attempting to exploit the Ruckus Wireless Admin remote code execution by a botnet known to be AndoryuBot.

The vulnerability tracked as CVE-2023-25717. The bot supports multiple DDoS attack techniques and uses SOCKS5 proxies for C2 communications. The issue affects Ruckus Wireless Admin version 10.4 and earlier used by multiple Ruckus wireless Access Point devices.

A remote, unauthenticated attacker can exploit the vulnerability to execute arbitrary code and take complete control of a vulnerable device.

Advertisements

Reasearchers noted that a Proof-of-Concept code for this vulnerability is publicly available and urges owners to install the patch as soon as possible.

Once after compromising a device, the bot downloads a script from the URL http[:]//163[.]123[.]142[.]146 for further propagation. It begins communicating with its C2 server via the SOCKS protocol. In a very short time, it is updated with additional DDoS methods and awaits attack commands.

The variant analyzed by the researchers targets multiple architectures, including arm, m68k, mips, mpsl, sh4, spc, and x86.

AndoryuBot supports 12 DDoS attack methods: tcp-raw, tcp-socket, tcp-cnc, tcp-handshake, udp-plain, udp-game, udp-ovh, udp-raw, udp-vse, udp-dstat, udp-bypass, and icmp-echo.

Advertisements

Once the bot receives the attack command, it starts a DDoS attack on a specific IP address and port number. This bot is soled through Telegram channel

This research was documented by researchers from FortiLabs.

Indicators of Compromise

C2:

  • 163[.]123[.]142[.]146
  • 45[.]153[.]243[.]39

Files:

  • ea064dd91d8d9e6036e99f5348e078c43f99fdf98500614bffb736c4b0fff408
  • f42c6cea4c47bf0cbef666a8052633ab85ab6ac5b99b7e31faa1e198c4dd1ee1
  • 3441e88c80e82b933bb09e660d229d74f7b753a188700fe018e74c2db7b2aaa0
  • 3c9998b8451022beee346f1afe18cab84e867b43c14ba9c7f04e5c559bfc4c3a
  • b71b4f478479505f1bfb43663b4a4666ec98cd324acb16892ecb876ade5ca6f9
  • e740a0d2e42c09e912c43ecdc4dcbd8e92896ac3f725830d16aaa3eddf07fd5c
  • 4fe4cff875ef7f8c29c95efe71b92ed31ed9f61eb8dfad448259295bd1080aca
  • 2e7136f760f04b1ed7033251a14fef1be1e82ddcbff44dae30db12fe52e0a78a
  • 1298da097b1c5bdce63f580e14e2c1b372c409476747356a8e9cfaf62b94513d
  • 55e921a196c92c659305aa9de3edf6297803b60012f83967562a57547875fec1
Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

DanaBot Trojan Deploying Cactus Ransomware

December 4, 2023

LogoFAIL Firmware Attack

December 3, 2023

Proliance Surgeons Discloses a Data Breach

December 3, 2023

23andMe Breach affected 14K Customers

December 3, 2023

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – November, 2023

December 2, 2023

Staples affected by a Cyber Attack

December 2, 2023
%d