CVE-2023-25717 Detection: New Malware Botnet AndoryuBot Exploits RCE Flaw in the Ruckus Wireless Admin Panel

A new DDoS botnet dubbed AndoryuBot poses a threat to Ruckus Wireless Admin panels by exploiting a newly patched critical severity flaw tracked as CVE-2023-25717 with the CVSS base score reaching 9.8. The vulnerability exploitation can potentially lead to remote code execution (RCE) and a full compromise of wireless Access Point (AP) equipment.

Detecting CVE-2023-25717 Exploitation Attempts

Proactive detection of vulnerability exploitation has remained one of the top content priorities since 2021 due to a growing number of discovered CVEs compromising widely used software solutions and actively leveraged in in-the-wild attacks.

With CVE-2023-25717 being actively exploited to enslave Ruckus Wireless AP devices to the Andoryu botnet, cyber defenders require a reliable source of detection content to identify the infection timely and react proactively. SOC Prime team has recently released a new Sigma rule, which identifies possible remote code execution attempts to make lateral movements internally and establish additional points of persistence within the organization: 

Possible Ruckus Wireless AP CVE-2023-25717 Exploitation Attempt (via proxy)

This Sigma rule is aligned with the MITRE ATT&CK v12 framework addressing the Lateral Movement tactic with the corresponding Exploitation of Remote Services (T1210) technique and can be applied across 18 industry-leading SIEM, EDR, XDR, and BDP solutions. 

To outspeed the adversaries and always stay on top of emerging threats, SOC Prime Platform curates a batch of detection content addressing exploitation attempts for the most trending vulnerabilities. Just hit the Explore Detection button and immediately drill down to the relevant Sigma rules accompanied by relevant metadata, including ATT&CK and CTI references.

Explore Detections

CVE-2023-25717 Description

The novel malware botnet called AndoryuBot, which first came to the spotlight in the malicious arena inFebruary 2023, has resurfaced to target Ruckus devices. In the ongoing malicious campaigns that have been observed since April 2023, hackers abuse the recently patched RCE vulnerability known as CVE-2023-25717, which affects all Ruckus Wireless Admin panels v.10.4 and earlier.

According to the Fortinet research, the latest AndoryuBot campaign uses an upgraded botnet version that takes advantage of the newly patched security flaw, CVE-2023-25717. The vulnerability weaponized in the most recent AndoryuBot campaigns was first uncovered and patched in early February based on the corresponding Ruckus cybersecurity advisory. However, the end-of-life device models affected by the vulnerability couldn’t be patched, exposing the system to potential DDoS attacks.

The infection chain starts with AndoryuBot affecting the compromised Ruckus devices via a malicious HTTP GET request aimed to retrieve the targeted user’s IP address, then attempts to connect to the C2 server via the SOCKS protocol, and further on expects to receive commands from the server to launch a DDoS attack.

In early May 2023, FortiGuard Labs updated their research which was issued in April, covering the growing numbers of exploitation attempts of CVE-2023-25717, with the vulnerability being actively leveraged in the wild and the PoC code publicly available. Being capable of causing a total compromise of the impacted devices, cyber defenders should take urgent measures to proactively defend against cyber attacks due to successful exploitation attempts of this Ruckusl vulnerability.  

Timely defend your infrastructure against devastating attacks paralyzing entire corporations or even industries. Detect emerging threats with Sigma rules aligned with the ATT&CK framework. More than 150 detections addressing CVE exploits and compatible with  25+ SIEM, EDR, and XDR formats are at hand for free at https://socprime.com/. And 800+ vetted detection rules are available with On Demand plans at /my.socprime.com/pricing/

The post CVE-2023-25717 Detection: New Malware Botnet AndoryuBot Exploits RCE Flaw in the Ruckus Wireless Admin Panel appeared first on SOC Prime.