AndoryuBot DDoS Botnet Exploits Ruckus Wireless Admin Vulnerability

May 9, 2023

Researchers from FortiGuard Labs have observed a significant increase in attacks targeting the Ruckus Wireless Admin remote code execution vulnerability, tracked as CVE-2023-25717. The activity is linked to the AndoryuBot DDoS botnet, which first emerged in February 2023. This botnet is known for its multiple DDoS attack techniques and use of SOCKS5 proxies for command and control (C2) communication. The vulnerability affects Ruckus Wireless Admin version 10.4 and earlier, which is used by numerous Ruckus wireless Access Point (AP) devices. A remote, unauthenticated attacker can exploit this vulnerability to execute arbitrary code and gain full control of a vulnerable device.

Fortinet researchers have also reported the availability of a Proof-of-Concept (PoC) code for this vulnerability and urge device owners to install the patch as soon as possible. Once a device is compromised, the AndoryuBot downloads a script from the URL http[:]//163[.]123[.]142[.]146 to propagate further. The report published by Fortinet states, “Once a target device is compromised, AndoryuBot quickly spreads and begins communicating with its C2 server via the SOCKS protocol. In a very short time, it is updated with additional DDoS methods and awaits attack commands.” The researchers emphasize the importance of being aware of this new threat and applying patches on affected devices as soon as they become available.

The variant analyzed by the researchers targets multiple architectures, including arm, m68k, mips, mpsl, sh4, spc, and x86. After establishing the communication channel, the client waits for a command from the C2 server to initiate a DDoS attack. AndoryuBot supports 12 DDoS attack methods: tcp-raw, tcp-socket, tcp-cnc, tcp-handshake, udp-plain, udp-game, udp-ovh, udp-raw, udp-vse, udp-dstat, udp-bypass, and icmp-echo. Upon receiving the attack command, the bot initiates a DDoS attack on a specific IP address and port number.

The botnet is advertised on a Telegram channel, where prices for DDoS attacks are listed. Fortinet has also published indicators of compromise (IoCs) for recent attacks associated with the AndoryuBot botnet. Device owners are encouraged to remain vigilant and apply patches to mitigate the risk posed by this botnet.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.