The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a critical remote code execution (RCE) vulnerability (CVE-2023-25717) in the Ruckus Wireless Admin panel. This flaw is actively being exploited by a recently discovered Distributed Denial-of-Service (DDoS) botnet. Although the security bug was addressed in early February, many Wi-Fi access point owners have not yet applied the patch. Additionally, no patch is available for end-of-life models affected by this issue.
Attackers are taking advantage of the vulnerability to infect Wi-Fi access points with AndoryuBot malware, which was first spotted in February 2023. The infection process involves unauthenticated HTTP GET requests. Once the devices are compromised, they are added to a botnet designed to launch DDoS attacks. The malware supports 12 DDoS attack modes, including tcp-raw, tcp-socket, tcp-cnc, tcp-handshake, udp-plain, udp-game, udp-ovh, udp-raw, udp-vse, udp-dstat, udp-bypass, and icmp-echo.
Cybercriminals looking to carry out DDoS attacks can now rent the firepower of the AndoryuBot botnet, as its operators are offering their services to others. Payments for this service are accepted through the CashApp mobile payment service or in various cryptocurrencies, such as XMR, BTC, ETH, and USDT.
CISA has set a deadline of June 2nd for U.S. Federal Civilian Executive Branch Agencies (FCEB) to secure their devices against the critical CVE-2023-25717 RCE bug, which was added to its list of Known Exploited Vulnerabilities on Friday. This is in line with a November 2021 binding operational directive requiring federal agencies to check and fix their networks for all security flaws listed in CISA's KEV catalog. Although the catalog primarily focuses on U.S. federal agencies, private companies are also strongly advised to prioritize addressing vulnerabilities listed in the KEV list, as threat actors actively exploit them, thus exposing public and private organizations to increased risks of security breaches.
In addition to the Ruckus Wireless vulnerability, CISA ordered federal agencies on Tuesday to patch a Windows zero-day (CVE-2023-29336) by May 30th. This vulnerability allows attackers to elevate privileges to gain SYSTEM user permissions on compromised Windows systems. Microsoft has confirmed that the Win32k Kernel driver bug has been exploited in attacks but has not yet provided details on the method of exploitation.