+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

New Botnet Campaign uses Critical Ruckus Flaw

Researchers at Fortinet have identified a new botnet campaign that utilises a Ruckus remote code execution (RCE) vulnerability to install malware and perform distributed denial of service (DDoS) attacks. This botnet is known as AndoryuBot due to the filename ‘Andoryu’ being used for the malware installed in this attack. It was first seen in attacks in February 2023, however it is believed to have started last year, due to the string “Project Andoryu(12/30/2022). What color is your botnet !being printed during its execution. The current version of this botnet was detected in April 2023, where the Ruckus vulnerability CVE-2023-25717 is exploited. A threat signal report was published by FortiGuard Labs at the end of last month due to a detected spike in the IPS signature for the exploitation of this flaw, which peaked at a trigger count of 1250.  

 

Ruckus Networks identified and patched the currently exploited vulnerability in February 2023. This RCE vulnerability affects Ruckus Wireless Admin panels of version 10.4 and earlier. A security bulletin released at the time lists all the vulnerable Ruckus products, which totals 58 different Wi-Fi access point device models. Some of these devices have patches available, links to which are included in the security bulletin, however some of the affected devices are end-of-life, so no patch will be made available for these products. Proof of concept (PoC) code is available for the exploit of this flaw, as well as evidence of active exploitation in the wild in these botnet attacks. Administrators should therefore patch or replace all vulnerable systems as soon as possible. 

 

CVE-2023-25717 causes improper handling of HTTP GET requests, which results in remote code execution. An attacker can craft a malicious, unauthenticated, HTTP request and send it to the vulnerable server, resulting in complete compromise of the affected devices. This exploit can only be performed by an authenticated attacker, however, this attack can be executed remotely. This has resulted in this vulnerability being given a critical severity rating, and a CVSS base score of 9.8. The AndoryuBot botnet attack uses this flaw for initial access to the vulnerable wireless admin panel Wi-Fi access point, where it can then download a malicious script from a hardcoded URL for further propagation. 

 

The downloaded script uses curl as its file extension, which is the downloading method used to retrieve this script initially. The AndoryuBot version analysed by Fortinet was found to target seven architectures: arm, m68k, mips, mpsl, sh4, spc, and x86. First, the malicious script checks the file parameters, then it decodes the data from the .rodata section using the encryption key 0x2A41605D. This is the stage at which the string “Project Andoryu(12/30/2022). What color is your botnet ! is printed after the execution of the XOR decoding function. This is the final stage of the initialisation of the malware. 

 

Once the initialisation is complete, an HTTP GET request is sent to api.ipify.org. This contains a hardcoded User-Agent string and is used to extract the public IP address of the target device. A connection is then established with a command and control (C2) server controlled by the attacker. The C2 server connection is established through the SOCKS (Socket Secure) protocol, and communication is propagated using SOCKS5 proxies. This protocol allows for firewalls to be bypassed so that the commands can be executed. Once this communication channel is set up it can then be used to trigger the next stage of the attack. 

 

A command from the C2 server containing functions for a DDoS attack is then sent to the client device. There are 12 methods included in these functions which have been identified through the decoded data mentioned previously: tcp-raw, tcp-socket, tcp-cnc, tcp-handshake, udp-plain, udp-game, udp-ovh, udp-raw, udp-vse, udp-dstat, udp-bypass, and icmp-echo. The DDoS attack command causes the system to begin the attack on a specific IP address using a specific port number. The length of the DDoS attack depends on what level of service has been purchased from the threat actors controlling the botnet. The threat actor has set up a Telegram channel to sell this service, including a tiered pricing list for set numbers of daily attacks.  

 

The offering of this botnet in as-a-service DDoS attacks allows unsophisticated attackers to perform this attack for a price making it more likely that these attacks will occur frequently. Any users of vulnerable Ruckus devices should therefore prioritise the mitigation of CVE-2023-25717 to avoid falling victim to these attacks. AndoryuBot is promoted through YouTube videos that demonstrate the capabilities of the botnet, and PoC code has been published, so exploitation of these services is likely to continue to increase in occurrences. 

 

In general botnet malware infections can be mitigated against by ensuring all hardware and software in use is up to date with security patches, and that unsupported end-of-life products are not used. This prevents attackers from being able to exploit vulnerabilities in your systems to gain initial access and install malware for further propagation. Strong administrator credentials and device passwords including the use of MFA can secure your essential and Wi-Fi enabled devices against unauthorised access, and better protect your network. Some settings and capabilities will not always be needed on access points and routers such as remote admin panel access. In these cases, it is better to disable these functions while they are not required to prevent them being abused and exploited.  

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

CREST
CCS
ISO9001
ISO27001
CE-PLUS

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.