Researchers from FortiGuard Labs have observed a significant increase in attacks targeting the Ruckus Wireless Admin remote code execution vulnerability, tracked as CVE-2023-25717. The activity is linked to the AndoryuBot DDoS botnet, which first emerged in February 2023. This botnet is known for its multiple DDoS attack techniques and use of SOCKS5 proxies for command and control (C2) communication. The vulnerability affects Ruckus Wireless Admin version 10.4 and earlier, which is used by numerous Ruckus wireless Access Point (AP) devices. A remote, unauthenticated attacker can exploit this vulnerability to execute arbitrary code and gain full control of a vulnerable device.
Fortinet researchers have also reported the availability of a Proof-of-Concept (PoC) code for this vulnerability and urge device owners to install the patch as soon as possible. Once a device is compromised, the AndoryuBot downloads a script from the URL http[:]//163[.]123[.]142[.]146 to propagate further. The report published by Fortinet states, “Once a target device is compromised, AndoryuBot quickly spreads and begins communicating with its C2 server via the SOCKS protocol. In a very short time, it is updated with additional DDoS methods and awaits attack commands.” The researchers emphasize the importance of being aware of this new threat and applying patches on affected devices as soon as they become available.
The variant analyzed by the researchers targets multiple architectures, including arm, m68k, mips, mpsl, sh4, spc, and x86. After establishing the communication channel, the client waits for a command from the C2 server to initiate a DDoS attack. AndoryuBot supports 12 DDoS attack methods: tcp-raw, tcp-socket, tcp-cnc, tcp-handshake, udp-plain, udp-game, udp-ovh, udp-raw, udp-vse, udp-dstat, udp-bypass, and icmp-echo. Upon receiving the attack command, the bot initiates a DDoS attack on a specific IP address and port number.
The botnet is advertised on a Telegram channel, where prices for DDoS attacks are listed. Fortinet has also published indicators of compromise (IoCs) for recent attacks associated with the AndoryuBot botnet. Device owners are encouraged to remain vigilant and apply patches to mitigate the risk posed by this botnet.