"AndoryuBot DDoS Botnet Exploiting Ruckus AP Vulnerability"

Owners of Ruckus access points (APs) have been warned by Fortinet that a DDoS botnet named AndoryuBot has been exploiting a recently patched vulnerability to hack devices.  The vulnerability in question is tracked as CVE-2023-25717, and it was patched by Ruckus in February in many of its wireless APs.  The vulnerability allows a remote, unauthenticated attacker to execute arbitrary code and take complete control of a targeted Ruckus device.  Technical details have been available since February, and cybersecurity firm Fortinet started seeing attacks exploiting the vulnerability in late April.  The company issued a warning on April 28 about CVE-2023-25717 being exploited, and on Monday, it revealed that a spike in exploitation is driven by the AndoryuBot botnet.  The company stated that AndoryuBot emerged in February 2023, and it’s designed to abuse compromised devices to launch various types of DDoS attacks.  The vulnerability is exploited to gain access to Ruckus APs.  A script is then downloaded to the compromised device for propagation to other devices.  Fortinet noted that once a target device is compromised, AndoryuBot quickly spreads and begins communicating with its C2 server via the SOCKS protocol.  In a very short time, it is updated with additional DDoS methods and awaits attack commands.  The company noted that prices for DDoS attacks using the AndoryuBot botnet are listed on a Telegram channel, and threat actors can cause disruption even with limited financial resources.  Fortinet has made available indicators of compromise (IoCs) and other technical details that can be useful to defenders. 

SecurityWeek reports: "AndoryuBot DDoS Botnet Exploiting Ruckus AP Vulnerability"