Posted on May 9, 2023 at 9:12 AM
Hackers exploit Ruckus RCE vulnerability to launch DDoS attacks
Hackers have been using a new malware known as “AndoryuBot” to conduct hacking attacks. The malware targets a critical-severity vulnerability within the Ruckus Wireless Admin panel. After the hackers infiltrate the device, they later infect the unpatched Wi-Fi access points and use them to conduct distributed denial-of-service (DDoS) exploits.
New malware botnet targets flaw on Ruckus Wireless Admin panel
The flaw in question is tracked as CVE-2023-25717. The vulnerability affects all the Ruckus Wireless Admin panels from version 10.4 and older. The move allows the threat actors to complete code execution after sending an unauthenticated HTTP GET request to the vulnerable device.
The vulnerability in question was detected, and a patch for it was issued on February 8, 2023. However, many people have yet to install the needed security updates to patch the flaw, leaving their devices vulnerable to being exploited by the threat actors behind the AndoryuBot malware.
The company has also announced that the end-of-life models affected by the security flaw would not receive a patch to fix the vulnerability. The AndoryuBot malware that poses a threat to those using devices with this malware was first detected in the wild in February 2023.
A report by Fortinet has, however, said that the malware appears to have evolved. The cybersecurity company has said that a newer version of this malware targeting Ruckus devices as detected in mid-April.
This malware aims to enlist vulnerable devices to the DDoS swarm from which it operates at a profit. The goal behind this threat actor group exploiting the flaw appears to be financial extortion. While financial motivation is the main reason behind a significant number of DDoS attacks, some of these attacks are also launched by hacktivist groups seeking to send a message to adversaries.
DDoS attacks have become rampant in recent years because of the low barrier to entry. Cybercriminals that do not have the technical know-how to conduct such attacks can use DDoS-for-hire services. However, law enforcement agencies have been cracking down on such sites, as seen in the recent seizure of 13 domains by US authorities.
However, in the recent case of Ruckus, the hackers appear to be sophisticated as they not only use the malware to conduct their own attacks but also rent out their services to other cybercriminals for a fee.
A hacking attack against Ruckus
The hackers exploiting this vulnerability deploy the AndoryuBot malware. The malware is used to infect vulnerable devices using malicious HTTP GET requests. The malware will later download an additional script from a hardcoded URL for more propagation of the attack.
The variant that Fortinet analyzed can be used to target several system architectures. Some of these targets include arm, m68k, mips, mpsl, sh4, spc, and x86. After the threat actor has successfully infected a device, the malware will create a connection with the C2 server through the SOCKS proxying protocol.
The hackers are also stealthy in their operation as they have taken measures to avoid detection. The SOCKS proxying protocol used by hackers will ensure that their operation continues to run stealthily. The malware will also bypass any security firewall before waiting for a command to infect the target device.
The AndoryuBot malware has many capabilities when it comes to launching DDoS attacks. The malware supports 12 DDoS attack modes, including tcp-socket, tcp-raw, tcp-handshake, tcp-cnc, udp-game, udp-plain, udp-ovh, udp-vse, udp-raw, udp-bypass, udp-dstat and icmp-echo.
The AndoryuBot malware will obtain commands from the command and control server. This server will inform the server of the type of DDoS attack that will be executed, the target’s IP address, and the port number to be used in the exploit.
The hackers using this malware are also renting their infrastructure to other threat actors interested in launching DDoS attacks. They rent out the services at a fee and get paid in cryptocurrencies such as Monero, Bitcoin, Ethereum, and USDT. They also use CashApp.
According to Fortinet, the weekly rental price for a single-connection 90-second attack that will be launched 50 times a day is $20. It also charges $115 for a double-connection 200-second attack that will be launched 100 times daily. The AndoryuBot capabilities are being marketed through videos posted on YouTube.
It is advisable that firms and individuals take the appropriate measures to protect themselves from these attacks. Firms should install all the needed updates and set up string administrator passwords. It is also recommended that one disables the remote admin panel access if it is not needed.