April 25, 2024

Researchers have identified a spike in attacks attempting to exploit the Ruckus Wireless Admin remote code execution by a botnet known to be AndoryuBot.

The vulnerability tracked as CVE-2023-25717. The bot supports multiple DDoS attack techniques and uses SOCKS5 proxies for C2 communications. The issue affects Ruckus Wireless Admin version 10.4 and earlier used by multiple Ruckus wireless Access Point devices.

A remote, unauthenticated attacker can exploit the vulnerability to execute arbitrary code and take complete control of a vulnerable device.

Advertisements

Reasearchers noted that a Proof-of-Concept code for this vulnerability is publicly available and urges owners to install the patch as soon as possible.

Once after compromising a device, the bot downloads a script from the URL http[:]//163[.]123[.]142[.]146 for further propagation. It begins communicating with its C2 server via the SOCKS protocol. In a very short time, it is updated with additional DDoS methods and awaits attack commands.

The variant analyzed by the researchers targets multiple architectures, including arm, m68k, mips, mpsl, sh4, spc, and x86.

AndoryuBot supports 12 DDoS attack methods: tcp-raw, tcp-socket, tcp-cnc, tcp-handshake, udp-plain, udp-game, udp-ovh, udp-raw, udp-vse, udp-dstat, udp-bypass, and icmp-echo.

Advertisements

Once the bot receives the attack command, it starts a DDoS attack on a specific IP address and port number. This bot is soled through Telegram channel

This research was documented by researchers from FortiLabs.

Indicators of Compromise

C2:

  • 163[.]123[.]142[.]146
  • 45[.]153[.]243[.]39

Files:

  • ea064dd91d8d9e6036e99f5348e078c43f99fdf98500614bffb736c4b0fff408
  • f42c6cea4c47bf0cbef666a8052633ab85ab6ac5b99b7e31faa1e198c4dd1ee1
  • 3441e88c80e82b933bb09e660d229d74f7b753a188700fe018e74c2db7b2aaa0
  • 3c9998b8451022beee346f1afe18cab84e867b43c14ba9c7f04e5c559bfc4c3a
  • b71b4f478479505f1bfb43663b4a4666ec98cd324acb16892ecb876ade5ca6f9
  • e740a0d2e42c09e912c43ecdc4dcbd8e92896ac3f725830d16aaa3eddf07fd5c
  • 4fe4cff875ef7f8c29c95efe71b92ed31ed9f61eb8dfad448259295bd1080aca
  • 2e7136f760f04b1ed7033251a14fef1be1e82ddcbff44dae30db12fe52e0a78a
  • 1298da097b1c5bdce63f580e14e2c1b372c409476747356a8e9cfaf62b94513d
  • 55e921a196c92c659305aa9de3edf6297803b60012f83967562a57547875fec1
Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

ArcaneDoor Exploits Cisco ASA and FTD

April 25, 2024

Google Fixes Critical Vulnerability in Chrome -CVE-2024-4058

April 24, 2024

Red Ransomware Victimized Targus

April 23, 2024

Oracle Virtual Box Vulnerability PoC Released – CVE-2024-21111

April 22, 2024

CrushFTP Zeroday Vulnerability Exploited in Wild attack

April 21, 2024

TheCyberThrone Security Week In Review – April 20, 2024

April 21, 2024

Discover more from TheCyberThrone

Subscribe now to keep reading and get access to the full archive.

Continue reading