Threat actors are exploiting an unspecified zero-day vulnerability in Cambium Networks cnPilot routers to deploy a variant of the AISURU botnet called AIRASHI to carry out distributed denial-of-service (DDoS) attacks.
According to QiAnXin XLab, the attacks have leveraged the security flaw since June 2024. Additional details about the shortcomings have been withheld to prevent further abuse.
Some of the other flaws weaponized by the distributed denial-of-service (DDoS) botnet include CVE-2013-3307, CVE-2016-20016, CVE-2017-5259, CVE-2018-14558, CVE-2020-25499, CVE-2020-8515, CVE-2022-3573, CVE-2022-40005, CVE-2022-44149, CVE-2023-28771, as well as those impacting AVTECH IP cameras, LILIN DVRs, and Shenzhen TVT devices.
“The operator of AIRASHI has been posting their DDoS capability test results on Telegram,” XLab said. “From historical data, it can be observed that the attack capacity of the AIRASHI botnet remains stable around 1-3 Tbps.”
A majority of the compromised devices are located in Brazil, Russia, Vietnam, and Indonesia, with China, the United States, Poland, and Russia becoming the primary targets of the malicious swarm.
AIRASHI is a variant of the AISURU (aka NAKOTNE) botnet that was previously flagged by the cybersecurity company in August 2024 in connection with a DDoS attack targeting Steam around the same time coinciding with the launch of the game Black Myth: Wukong.
A frequently updated botnet, select variations of AIRASHI have also been found incorporating proxyware functionality, indicating that the threat actors intend to expand their services beyond facilitating DDoS attacks.
AISURU is said to have temporarily suspended its attack activities in September 2024, only for it to reappear a month later with updated features (dubbed kitty) and refreshed again a second time at the end of November (aka AIRASHI).
“The kitty sample began spreading in early October 2024,” XLab noted. “Compared to previous AISURU samples, it has simplified the network protocol. By the end of October, it started using SOCKS5 proxies to communicate with the C2 server.”
AIRASHI, on the other hand, comes in at least two different flavors –
- AIRASHI-DDoS (first detected in late October), which primarily focuses on DDoS attacks, but also supports arbitrary command execution and reverse shell access
- AIRASHI-Proxy (first detected in early December), which is a modified version of AIRASHI-DDoS with proxy functionality
The botnet, in addition to continuously tweaking its methods to obtain the C2 server details via DNS queries, relies on a completely new network protocol that involves HMAC-SHA256 and CHACHA20 algorithms for communication. Furthermore, AIRASHI-DDoS supports 13 message types, while AIRASHI-Proxy supports only 5 message types.
The findings show that bad actors continue to exploit vulnerabilities in IoT devices both as an initial access vector and for building botnets that use them to put added weight behind powerful DDoS attacks.
The development comes as QiAnXin shed light on a cross-platform backdoor named alphatronBot that has targeted the Chinese government and enterprises to enlist infected Windows and Linux systems into a botnet. Active since the start of 2023, the malware adopted a legitimate open-source peer-to-peer (P2P) chat application named PeerChat to talk to other infected nodes.
The decentralized nature of the P2P protocol means that an attacker can issue commands through any of the compromised nodes without having to route them through a single C2 server, thus making the botnet a lot more resilient to takedowns.
“The 700+ P2P networks built into the backdoor consist of infected network device components from 80 countries and territories,” the company said. “The nodes involve MikroTik routers, Hikvision cameras, VPS servers, DLink routers, CPE devices, etc.”
Last year, XLab also detailed a sophisticated and stealthy payload delivery framework codenamed DarkCracks that exploits compromised GLPI and WordPress sites to function as downloaders and C2 servers.
“Its primary objectives are to gather sensitive information from infected devices, maintain long-term access, and use the compromised, stable, high-performance devices as relay nodes to control other devices or deliver malicious payloads, effectively obfuscating the attacker’s footprint,” it said.
“The compromised systems were found to belong to critical infrastructure across different countries, including school websites, public transportation systems, and prison visitor systems.”
