New Botnet Campaign Exploits Ruckus Wireless Flaw

Written by

A critical vulnerability has been discovered in the Linux-based Ruckus access points (AP) that allows remote attackers to take control of vulnerable systems.

Tracked CVE-2023-25717 and first discovered in February, the flaw has been recently exploited by a new botnet named AndoryuBot, according to a new advisory by Fortinet.

“[AndoryuBot] contains DDoS attack modules for different protocols and communicates with its command-and-control server using SOCKS5 proxies,” explained Fortinet senior antivirus analyst Cara Lin.

“Based on our IPS [intrusion prevention system] signatures trigger count [...] this campaign started distributing the current version sometime after mid-April.”

Read more on router-focussed attacks here: Info-Stealing Campaign Targeted Home Workers for Two Years

AndoryuBot utilizes the Ruckus vulnerability to obtain entry into a device and subsequently downloads a script for additional spread. The particular variant observed by Fortinet targeted Linux systems and was designed to infect different types of computer processors, including some used in smartphones, laptops and other electronic devices. 

AndoryuBot uses a way of downloading itself called “curl.” However, Fortinet found an error in the malware’s code that makes it unable to run on some computers.

“Once a target device is compromised, AndoryuBot quickly spreads and begins communicating with its C2 server via the SOCKS protocol,” Lin wrote. “Once the victim system receives the attack command, it starts a DDoS attack on a specific IP address and port number.”

According to Lin, AndoryuBot then quickly updates with more DDoS methods and awaits attack commands.

“Users should be aware of this new threat and actively apply patches on affected devices as soon as they become available,” advised Fortinet.

The advisory provides IPS signatures for customers and Indicators of Compromise (IOCs) for other system defenders to safeguard companies against the threats identified in the exploit.

Its publication comes weeks after Akamai security researchers discovered a new DDoS botnet capable of launching attacks with data volumes reaching several Tbps.

What’s hot on Infosecurity Magazine?