Cybersecurity experts have reported that attackers are taking advantage of an undisclosed zero-day vulnerability in Cambium Networks cnPilot routers to deploy a new variant of the AISURU botnet, known as AIRASHI. This botnet is primarily orchestrating distributed denial-of-service (DDoS) attacks, which have reportedly been ongoing since June 2024.
Research conducted by QiAnXin XLab indicates that the AIRASHI variant leverages this vulnerability alongside several previously known flaws, including CVE-2013-3307 and CVE-2022-40005. While the specifics of the zero-day exploit remain undisclosed to mitigate further exploitation, the botnet’s capabilities continue to grow. Additional vulnerabilities have been cited as targets, including those affecting AVTECH IP cameras and various models of DVRs.
The overwhelming majority of compromised devices are situated in countries such as Brazil, Russia, Vietnam, and Indonesia. Conversely, the botnet is primarily executing attacks against targets in China, the United States, and Poland. According to XLab, the AIRASHI botnet has consistently demonstrated its capacity for DDoS attacks, peaking at between 1-3 terabits per second, as noted from data shared on Telegram by its operators.
AIRASHI is recognized as a continuation of the AISURU botnet, previously linked to high-profile DDoS attacks such as those targeting gaming platforms. While AISURU seemed to suspend its activities for a brief period, the emergence of AIRASHI, complete with new features, indicates ongoing evolution and sophistication within this cyber threat landscape. The malware now includes functionalities such as proxyware capabilities, suggesting intentions to extend its operations beyond just DDoS attacks.
The AIRASHI botnet employs a novel network protocol utilizing HMAC-SHA256 and CHACHA20 algorithms for communication, enhancing the robustness of its command-and-control mechanisms. The variant has two distinct forms: AIRASHI-DDoS, which focuses on executing DDoS attacks and supporting arbitrary command executions, and AIRASHI-Proxy, which incorporates proxy functionality into its operational framework.
In terms of attack tactics, the AIRASHI campaign exemplifies several MITRE ATT&CK techniques. From initial access via vulnerabilities to potential persistence measures through compromised devices, the threat actors utilize a complex interplay of tactics and techniques to establish footholds within targeted networks. The botnet’s decentralized architecture increases its resilience to traditional take-down attempts, a tactic often linked to adversaries seeking prolonged access to sensitive systems.
This incident highlights not only the ongoing exploitation of vulnerabilities in Internet of Things (IoT) devices but also the persistent threat posed by evolving botnets like AIRASHI. As organizations continue to grapple with the ever-changing landscape of cyber risks, awareness and proactive defensive measures remain critical. Emerging threats demand a robust cybersecurity posture as adversaries refine their tactics to exploit the vulnerabilities discovered.
Moreover, recent intelligence from QiAnXin has spotlighted a separate initiative, the alphatronBot, which is purposefully targeting Chinese governmental bodies and enterprises. This malware operates on an open-source peer-to-peer (P2P) chat application, allowing for seamless command issuance from infected nodes worldwide. The implications of such developments are profound, as they enhance the resilience and scope of cybercriminal operations.
In conclusion, the AIRASHI botnet and similar threats serve as reminders of the complex cybersecurity challenges confronting businesses today. The adoption of proactive threat detection and response strategies, coupled with an understanding of adversary tactics derived from resources like the MITRE ATT&CK framework, is essential for safeguarding against future attacks and mitigating risks associated with IoT vulnerabilities and evolving cyber threat landscapes.
