A critical vulnerability has been discovered in Linux-based Ruckus Access Points (APs) that could allow a remote attacker to take control of a vulnerable system.
According to a new Fortinet advisory, CVE-2023-25717 is tracked and the flaw, first discovered in February, was recently exploited by a new botnet named AndoryuBot.
“[AndoryuBot] It contains DDoS attack modules for various protocols and uses SOCKS5 proxies to communicate with command and control servers,” explains Cara Lin, senior antivirus analyst at Fortinet.
“Based on our IPS [intrusion prevention system] signature trigger count […] This campaign began distributing the current version after mid-April. ”
You can read more about router-focused attacks here: Two-year information-stealing campaign targeting telecommuters
AndoryuBot leverages the Ruckus vulnerability to infiltrate devices and then download scripts to spread further. The specific variant Fortinet saw targeted Linux systems and was designed to infect many types of computer processors, including those used in smartphones, laptops, and other electronic devices. .
AndoryuBot uses a method of downloading itself called ‘curl’. However, Fortinet found an error in the malware’s code that prevented it from running on some computers.
“Once the target device is compromised, AndoryuBot spreads rapidly and begins communicating with its C2 server via the SOCKS protocol,” wrote Lin. “Once the victim’s system receives the attack command, it will launch a DDoS attack against her specific IP address and port number.”
According to Lin, AndoryuBot has since been updated with more DDoS methods and waits for attack commands.
“Users should be aware of this new threat and proactively apply patches to affected devices as soon as they become available,” advises Fortinet.
This advisory provides IPS signatures for customers and indicators of compromise (IOCs) for other system defenders to protect enterprises from threats identified in exploits.
The disclosure comes weeks after Akamai security researchers discovered a new DDoS botnet capable of launching attacks with data volumes approaching several Tbps.
