Ruckus Wireless Products in the Crosshairs
On February 8th, 2023, a vendor alerted customers regarding a security vulnerability in Ruckus Wireless Admin. CVE-2023-25717 is a critical vulnerability categorized as a Remote Code Execution (RCE) vulnerability impacting the Ruckus Wireless Admin.
This vulnerability stems from inadequate handling of a specially crafted HTTP request. As indicated by the NVD vulnerability description & publicly available POC, the vulnerability is exploited by sending the HTTP GET request –
The Cyble Global Sensor Network (CGSI) observed active exploitation of CVE-2023-25717 and deployment of AndoryuBot, as shown in the image below. This incident indicates that Threat Actors (TAs) are actively looking for vulnerable Ruckus assets for exploitation purposes.
Since the Proof of Concept (POC) for the vulnerability is publicly available, we expect that Threat Actors (TAs) will exploit this vulnerability on a large scale. On May 8th, 2023, Fortinet released a blog stating, “AndoruyBot distributing through Ruckus Vulnerability”. Cybersecurity and Infrastructure Agency (CISA) added CVE-2023-25717 to their Known Exploited Vulnerability catalog on May 15th, 2023.
AndoryuBot is a new Botnet malware sold on Telegram on a subscription basis. The deployment of such malware by TAs allows them to orchestrate large-scale DDoS attacks, which can overwhelm targeted servers and infrastructure by flooding them with a massive volume of traffic.
Exposure of Ruckus Wireless Admin Panel
As the vulnerability falls under the critical severity category and is being used by AndoryuBot, Researchers at Cyble investigated one of the online scanners for internet-exposed Ruckus Wireless Admin panels. They found that there are ~52k instances exposed over the internet.
The figure below represents the geographical distribution of internet-exposed instances.
The graph below shows the Top 5 countries with the highest number of exposed assets.
The AndorYuBot binary (SHA256: c4925a91ed853920d8acee79bf0bb9342da4dabc0a2970823027f39ede399bce) is a 32-bit Linux executable.
The figure below shows the file details.
When the malware binary is executed, it examines the count of command line arguments provided during execution. It will proceed with its execution only if a single argument is detected.
The figure below illustrates the process of determining the number of arguments passed.
Subsequently, the malware initiates a call to the prctl() function, with the option variable set to 15. This signifies the malware’s intention to modify the process name. Its objective is to change the process name to “DvrHelper”. It is a defense evasion technique used to hide artifacts.
The figure below shows the malware’s call to prctl().
Following that, the AndorYuBot binary proceeds to decrypt the encrypted strings located within the “.rodata” section. Employing a common decryption loop, it decrypts each encrypted string present.
The figure below illustrates the call to decryption function incorporated within the malware.
Subsequently, the malware establishes sockets to facilitate communication with a Command and Control (C&C) Server. Depending on the instructions received from the server, the malware will carry out nefarious activities, such as initiating a Distributed Denial of Service (DDOS) Attack.
To facilitate network communication, the malware utilizes the socket() function to create a socket
Ruckus specializes in providing networking solutions and services that various organizations widely utilize. However, the widespread use of networking products has attracted the interest of TAs who actively exploit vulnerabilities for their malicious intents.
Recent incidents involving the exploitation of vulnerabilities in Goanywhere, PaperCut, and now Ruckus serve as indicators that TAs are actively seeking out internet-exposed instances that are susceptible to attacks.
In today’s era, it has become increasingly crucial to have a comprehensive understanding of security vulnerabilities within organizations to effectively address and mitigate potential risks.
- Implement proper network segmentation to prevent attackers from performing lateral movement and minimize exposure of critical assets over the internet.
- Keeping software, firmware, and applications updated with the recent patches and mitigations released by the official vendor is necessary to prevent attackers from exploiting vulnerabilities.
- Regular Audits, Vulnerability, and Pentesting exercises are key in finding security loopholes that attackers may exploit.
- Continuous monitoring and logging can help in detecting network anomalies early.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Execution||T1059||Command and Scripting Interpreter|
|Defense Evasion||T1140 |
|Deobfuscate/Decode Files or Information |
|Privilege Escalation||T1055||Process Injection|
|Command and Control||T1095||Non-Application Layer Protocol|
Indicators of Compromise (IoCs):
|hxxp[:]//126.96.36.199/ hxxp[:]//188.8.131.52/Andoryu.m68k hxxp[:]//184.108.40.206/Andoryu.spc hxxp[:]//220.127.116.11/Andoryu.arm7 hxxps[:]//18.104.22.168/ hxxp[:]//22.214.171.124/gitlab hxxp[:]//126.96.36.199/Andoryu.i686 hxxp[:]//188.8.131.52/rt/ hxxp[:]//184.108.40.206/rt hxxp[:]//220.127.116.11/andoryu.arm5 hxxp[:]//18.104.22.168/Andoryu.arm6 hxxp[:]//22.214.171.124/Andoryu.mpsl/ hxxp[:]//126.96.36.199/Andoryu.arm hxxp[:]//188.8.131.52/Andoryu.x86||URL||Malicious URL|
|184.108.40.206||IP Address||Malicious IP dropping AndoroyuBot|
|220.127.116.11||IP Address||Malicious IP dropping AndoroyuBot|