Critical RCE Flaw in Ruckus Wireless APs Exploited by Botnet for DDoS Attacks

In recent news, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning on severe vulnerability in the Ruckus Wireless Admin panel. This vulnerability, known as CVE-2023-25717, allows for remote code execution (RCE) and is currently being actively exploited by a newly discovered DDoS botnet. Despite releasing a patch in February, many Wi-Fi access point owners are yet to apply the necessary updates. Unfortunately, for those with end-of-life models affected by the issue, no patch is currently available.

Exploitation and Malware:

Attackers are taking advantage of the vulnerability by infecting vulnerable Wi-Fi access points with a strain of malware called AndoryuBot. This malicious software, first identified in February 2023, is delivered through unauthenticated HTTP GET requests. Once compromised, the infected devices are enlisted into a botnet specifically designed to launch Distributed Denial-of-Service (DDoS) attacks.

Capabilities of AndoryuBot:

The AndoryuBot malware possesses a range of DDoS attack modes, including tcp-raw, tcp-socket, tcp-cnc, tcp-handshake, udp-plain, udp-game, udp-ovh, udp-raw, udp-vse, udp-dstat, udp-bypass, and icmp-echo. These attack modes enable cybercriminals to overwhelm targeted systems and disrupt their normal operations.

AndoryuBot's Availability for Rent:

In a concerning development, the operators of the AndoryuBot botnet are now offering their DDoS attack services for rent. This means that individuals with malicious intent can employ the botnet's firepower to launch devastating DDoS attacks. Payments for this service can be made using various methods, including the CashApp mobile payment service or popular cryptocurrencies like XMR, BTC, ETH, and USDT.

Urgent Patching Requirements for Federal Agencies:

To mitigate the risks posed by this critical vulnerability, CISA has set a deadline of June 2nd for U.S. Federal Civilian Executive Branch Agencies (FCEB) to secure their devices against the CVE-2023-25717 RCE bug. This directive aligns with a binding operational directive issued in November 2021, which mandates federal agencies to identify and resolve security flaws listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. While primarily focused on federal agencies, private companies are also strongly advised to address vulnerabilities listed in the KEV catalog due to active exploitation by threat actors, which exposes both public and private organizations to increased security risks.

Additional Windows Zero-Day Vulnerability:

In addition to the Ruckus Wireless vulnerability, CISA has also instructed federal agencies to patch a Windows zero-day vulnerability (CVE-2023-29336) by May 30th. This particular vulnerability allows attackers to elevate privileges and gain SYSTEM user permissions on compromised Windows systems. While Microsoft has confirmed the exploitation of the Win32k Kernel driver bug, specific details regarding the method of exploitation have not been disclosed at this time.

The recent warning from CISA regarding the critical RCE flaw in Ruckus Wireless APs highlights the urgent need for organizations to address vulnerabilities promptly. By staying proactive in patching systems and following recommended security practices, both public and private entities can mitigate the risks posed by cyber threats and safeguard their networks from potential DDoS attacks and other security breaches.