Andoryu Botnet Exploits Critical Ruckus Wireless Flaw for Widespread Attack

May 11, 2023IRavie LakshmananEndpoint Security/Cyber ​​Threat

Andrew Botnet

A nascent botnet called Andrew It has been found to exploit a now-patched critical security flaw in the Ruckus Wireless Admin Panel to break into vulnerable devices.

The flaw, tracked as CVE-2023-25717 (CVSS score: 9.8), stems from improper handling of HTTP requests, leading to unauthenticated remote code execution and full team compromise of wireless access point (AP).

Andoryu was first documented by Chinese cybersecurity firm QiAnXin earlier this February, detailing its ability to communicate with command and control (C2) servers using the SOCKS5 protocol.

Cyber ​​security

While the malware is known to weaponize remote code execution bugs in GitLab (CVE-2021-22205) and Lilin DVR for propagation, the addition of CVE-2023-25717 shows that Andoryu is actively expanding its arsenal of exploits to trap more devices in the botnet. .

“It contains DDoS attack modules for different protocols and communicates with its command and control server through SOCKS5 proxies,” said Cara Lin, a researcher at Fortinet FortiGuard Labs, adding that the latest campaign began in late of April 2023.

Further analysis of the attack chain revealed that once the Ruckus flaw is used to gain access to a device, a script from a remote server is sent to the infected device for propagation.

Andrew Botnet

The malware, meanwhile, also contacts a C2 server and waits for further instructions to launch a DDoS attack against targets of interest using protocols such as ICMP, TCP, and UDP.

The cost associated with carrying out these attacks is advertised through a listing on the vendor’s Telegram channel, with monthly plans ranging from $90 to $115 depending on the duration.

RapperBot Botnet adds Crypto Mining to its list of capabilities

The alert follows the discovery of new versions of the RapperBot DDoS botnet that incorporate cryptojacking functionality to take advantage of compromised Intel x64 systems by dropping a Monero crypto miner.

RapperBot campaigns have primarily focused on brute-forcing IoT devices with weak or default SSH or Telnet credentials to expand the botnet’s footprint to launch DDoS attacks.


Learn how to stop ransomware with real-time protection

Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.

Save my seat!

Fortinet said it detected the latest iteration of RapperBot’s mining activity in January 2023, with the attacks offering a Bash shell script that is in turn capable of downloading and running miners XMRig cryptos and separate RapperBot binaries.

Subsequent updates to the malware have merged the two disparate functions into a single bot client with mining capabilities, while taking steps to kill competing mining processes.

Andrew Botnet

Interestingly, none of the new RapperBot samples with the built-in XMRig miner incorporate self-propagation capabilities, raising the possibility of an alternative distribution mechanism.

“This suggests the possible availability of an external loader operated by the threat actor that abuses credentials collected by other RapperBot samples with brute-forcing capabilities and infects only x64 machines with the combined bot/miner,” he said. theorize Fortinet.

RapperBot’s expansion into cryptojacking is another indication that financially motivated threat operators are leaving no stone unturned to “extract maximum value from machines infected by their botnets.”

The twin developments also come as the US Department of Justice announced the seizure of 13 Internet domains associated with DDoS-for-hire services.

Did you find this article interesting? Follow us at Twitter and LinkedIn to read more exclusive content we publish.

Source link
The tech world has been rocked today with news that Andoryu Botnet has successfully exploited a critical flaw in Ruckus Wireless and has constructed a widespread attack. This malicious botnet has been targeting Internet of Things (IoT) devices such as wireless routers, connected cameras, and other consumer electronics products with malicious malware and command and control codes.

Ikaroa, a full-stack tech company specializing in secure wireless networking, warns that this attack exhibits the peak of sophistication and efficiency. Users should take all necessary precautions to protect their IoT devices from further damage.

By infiltrating large networks of connected devices, the botnet can launch hugely powerful distributed denial of service (DDoS) attacks, leak stolen data, and even corrupt system software. As researchers investigated the malware, they discovered that the malicious code is able to bypass many of the security measures present in older devices, targeting them particularly.

Ikaroa advises users to update their firmware and devices regularly, as this can greatly reduce the chance of a successful attack. Unevenly distributed updates across the market creates a gap that malicious actors can exploit. This is particularly concerning, as the attack has already been unleashed and is actively targeting vulnerable devices.

In fact, the botnet has already exploited thousands of devices, including connected TV’s, vacuums, refrigerators, and other consumer electronics. As the weakly secured IoT devices continue to be targeted, the capacity of the attack increases.

Ikaroa recommends that all users vigilantly survey their connected devices to determine if any unauthorised changes

have been made. Furthermore, they encourage users to keep wireless networks secured and protect their passwords by using two-factor authentication.

All in all, this attack is a powerful reminder that security should always be of top priority when handling and managing connected devices. Users should ensure that their devices are regularly updated, especially given that these botnets are evolving in strength and sophistication.


Leave a Reply

Your email address will not be published. Required fields are marked *