Headline
Andoryu Botnet Exploits Critical Ruckus Wireless Flaw for Widespread Attack
A nascent botnet called Andoryu has been found to exploit a now-patched critical security flaw in the Ruckus Wireless Admin panel to break into vulnerable devices. The flaw, tracked as CVE-2023-25717 (CVSS score: 9.8), stems from improper handling of HTTP requests, leading to unauthenticated remote code execution and a complete compromise of wireless Access Point (AP) equipment. Andoryu was
Endpoint Security / Cyber Threat
A nascent botnet called Andoryu has been found to exploit a now-patched critical security flaw in the Ruckus Wireless Admin panel to break into vulnerable devices.
The flaw, tracked as CVE-2023-25717 (CVSS score: 9.8), stems from improper handling of HTTP requests, leading to unauthenticated remote code execution and a complete compromise of wireless Access Point (AP) equipment.
Andoryu was first documented by Chinese cybersecurity firm QiAnXin earlier this February, detailing its ability to communicate with command-and-control (C2) servers using the SOCKS5 protocol.
While the malware is known to weaponize remote code execution flaws in GitLab (CVE-2021-22205) and Lilin DVR for propagation, the addition of CVE-2023-25717 shows that Andoryu is actively expanding its exploit arsenal to ensnare more devices into the botnet.
“It contains DDoS attack modules for different protocols and communicates with its command-and-control server using SOCKS5 proxies,” Fortinet FortiGuard Labs researcher Cara Lin said, adding the latest campaign commenced in late April 2023.
Further analysis of the attack chain has revealed that once the Ruckus flaw is used to gain access to a device, a script from a remote server is dropped onto the infected device for proliferation.
The malware, for its part, also establishes contact with a C2 server and awaits further instructions to launch a DDoS attack against targets of interest using protocols like ICMP, TCP, and UDP.
The cost associated with mounting such attacks is advertised via a listing on the seller’s Telegram channel, with monthly plans ranging from $90 to $115 depending on the duration.
RapperBot Botnet Adds Crypto Mining to its List of Capabilities
The alert follows the discovery of new versions of the RapperBot DDoS botnet that incorporate cryptojacking functionality to profit off compromised Intel x64 systems by dropping a Monero crypto miner.
RapperBot campaigns have primarily focused on brute-forcing IoT devices with weak or default SSH or Telnet credentials to expand the botnet’s footprint for launching DDoS attacks.
UPCOMING WEBINAR
Learn to Stop Ransomware with Real-Time Protection
Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.
Save My Seat!
Fortinet said it detected the latest iteration of the RapperBot miner activity in January 2023, with the attacks delivering a Bash shell script that, in turn, is capable of downloading and executing separate XMRig crypto miners and RapperBot binaries.
Subsequent updates to the malware have merged the two disparate functions into a single bot client with mining capabilities, while also taking steps to terminate competing miner processes.
Interestingly, none of the new RapperBot samples with the integrated XMRig miner incorporate self-propagation capabilities, raising the possibility of an alternate distribution mechanism.
“This suggests the possible availability of an external loader operated by the threat actor that abuses the credentials collected by other RapperBot samples with brute forcing capabilities and infects only x64 machines with the combined bot/miner,” Fortinet theorized.
RapperBot’s expansion to cryptojacking is yet another indication that financially motivated threat operators leave no stone unturned to “extract the maximum value from machines infected by their botnets.”
The twin developments also come as the U.S. Justice Department announced the seizure of 13 internet domains associated with DDoS-for-hire services.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
A financially motivated threat actor has been outed as an initial access broker (IAB) that sells access to compromised organizations for other adversaries to conduct follow-on attacks such as ransomware. SecureWorks Counter Threat Unit (CTU) has dubbed the e-crime group Gold Melody, which is also known by the names Prophet Spider (CrowdStrike) and UNC961 (Mandiant). "This financially motivated
GitLab has shipped security patches to resolve a critical flaw that allows an attacker to run pipelines as another user. The issue, tracked as CVE-2023-5009 (CVSS score: 9.6), impacts all versions of GitLab Enterprise Edition (EE) starting from 13.12 and prior to 16.2.7 as well as from 16.3 and before 16.3.4. "It was possible for an attacker to run pipelines as an arbitrary user via scheduled
The China-linked threat actor known as Earth Lusca has been observed targeting government entities using a never-before-seen Linux backdoor called SprySOCKS. Earth Lusca was first documented by Trend Micro in January 2022, detailing the adversary's attacks against public and private sector entities across Asia, Australia, Europe, North America. Active since 2021, the group has relied on
A new, financially motivated operation dubbed LABRAT has been observed weaponizing a now-patched critical flaw in GitLab as part of a cryptojacking and proxyjacking campaign. "The attacker utilized undetected signature-based tools, sophisticated and stealthy cross-platform malware, command-and-control (C2) tools which bypassed firewalls, and kernel-based rootkits to hide their presence," Sysdig
A financially motivated threat actor of Indonesian origin has been observed leveraging Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances to carry out illicit crypto mining operations. Cloud security company's Permiso P0 Labs, which first detected the group in November 2021, has assigned it the moniker GUI-vil (pronounced Goo-ee-vil). "The group displays a preference for Graphical
Categories: Exploits and vulnerabilities Categories: News Tags: Ruckus Tags: CISA Tags: AndoryuBot Tags: CVE-2023-25717 Tags: 163.123.142.146 CISA has added a Ruckus vulnerability being abused by the AndoryuBot botnet to its catalog. (Read more...) The post Update now! Ruckus vulnerability added to CISA’s list of actively exploited bugs appeared first on Malwarebytes Labs.
Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request, as demonstrated by a /forms/doLogin?login_username=admin&password=password$(curl substring.
Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, Joint cybersecurity advisory (CSA) AA22-279A, and how I analyzed these vulnerabilities using my open source project Vulristics. Alternative video link (for Russia): https://vk.com/video-149273431_456239105 Americans can’t just release a list of “20 vulnerabilities most commonly exploited in attacks on […]
Categories: Exploits and vulnerabilities Categories: News Tags: Chinese APT Tags: advanced persistent threat Tags: APT Tags: CISA Tags: NSA Tags: FBI Tags: security advisory CISA, the NSA and the FBI have compiled a list of the vulnerabilities targeted by state-sponsorted threat actors from China. (Read more...) The post Chinese APT's favorite vulnerabilities revealed appeared first on Malwarebytes Labs.