
A new botnet called Andoryu has been found to exploit a critical security flaw in the Ruckus Wireless Admin panel to break into vulnerable devices. The flaw, tracked as CVE-2023-25717 (CVSS score: 9.8), stems from improper handling of HTTP requests, leading to unauthenticated remote code execution and a complete compromise of wireless Access Point (AP) equipment. Andoryu was first documented by Chinese cybersecurity firm QiAnXin earlier this February, detailing its ability to communicate with command-and-control (C2) servers using the SOCKS5 protocol. While the malware is known to weaponize remote code execution flaws in GitLab (CVE-2021-22205) and Lilin DVR for propagation, the addition of CVE-2023-25717 shows that Andoryu is actively expanding its exploit arsenal to ensnare more devices into the botnet. "It contains DDoS attack modules for different protocols and communicates with its command-and-control server using SOCKS5 proxies," Fortinet FortiGuard Labs researcher Cara Lin said, adding the latest campaign commenced in late April 2023. Further analysis of the attack chain has revealed that once the Ruckus flaw is used to gain access to a device, a script from a remote server is dropped onto the infected device for proliferation. The malware, for its part, also establishes contact with a C2 server and awaits further instructions to launch a DDoS attack against targets of interest using protocols like ICMP, TCP, and UDP. This is a serious problem for anyone using Ruckus Wireless Admin panel-based devices. The Andoryu botnet is constantly expanding its arsenal of exploits, and has already been used to launch DDoS attacks using a variety of protocols. If you are using any Ruckus Wireless Admin panel-based devices, it is important to make sure that they are patched and up to date.