Security News > 2023 > May > Andoryu Botnet Exploits Critical Ruckus Wireless Flaw for Widespread Attack
A nascent botnet called Andoryu has been found to exploit a now-patched critical security flaw in the Ruckus Wireless Admin panel to break into vulnerable devices.
While the malware is known to weaponize remote code execution flaws in GitLab and Lilin DVR for propagation, the addition of CVE-2023-25717 shows that Andoryu is actively expanding its exploit arsenal to ensnare more devices into the botnet.
Further analysis of the attack chain has revealed that once the Ruckus flaw is used to gain access to a device, a script from a remote server is dropped onto the infected device for proliferation.
The malware, for its part, also establishes contact with a C2 server and awaits further instructions to launch a DDoS attack against targets of interest using protocols like ICMP, TCP, and UDP. The cost associated with mounting such attacks is advertised via a listing on the seller's Telegram channel, with monthly plans ranging from $90 to $115 depending on the duration.
The alert follows the discovery of new versions of the RapperBot DDoS botnet that incorporate cryptojacking functionality to profit off compromised Intel x64 systems by dropping a Monero crypto miner.
RapperBot campaigns have primarily focused on brute-forcing IoT devices with weak or default SSH or Telnet credentials to expand the botnet's footprint for launching DDoS attacks.
News URL
https://thehackernews.com/2023/05/andoryu-botnet-exploits-critical-ruckus.html
Related news
- Critical Ivanti RCE flaw with public exploit now used in attacks (source)
- Critical Flaws in Tank Gauge Systems Expose Gas Stations to Remote Attacks (source)
- New Cryptojacking Attack Targets Docker API to Create Malicious Swarm Botnet (source)
- Researchers Warn of Ongoing Attacks Exploiting Critical Zimbra Postjournal Flaw (source)
- Alert: Adobe Commerce and Magento Stores Under Attack from CosmicSting Exploit (source)
- Google Adds New Pixel Security Features to Block 2G Exploits and Baseband Attacks (source)
- New Gorilla Botnet Launches Over 300,000 DDoS Attacks Across 100 Countries (source)
- Qualcomm Urges OEMs to Patch Critical DSP and WLAN Flaws Amid Active Exploits (source)
- Exploit code for critical GitLab auth bypass flaw released (CVE-2024-45409) (source)
- CISA says critical Fortinet RCE flaw now exploited in attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-13 | CVE-2023-25717 | Code Injection vulnerability in Ruckuswireless Ruckus Wireless Admin, Smartzone and Smartzone AP Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request, as demonstrated by a /forms/doLogin?login_username=admin&password=password$(curl substring. | 9.8 |