Cybercriminals are exploiting an undisclosed zero-day vulnerability within Cambium Networks’ cnPilot routers to propagate an evolved version of the AISURU botnet, known as AIRASHI, engineered for orchestrating large-scale distributed denial-of-service (DDoS) attacks.
Researchers at QiAnXin XLab reveal that the exploitation of this vulnerability has been ongoing since June 2024. Specific details about the flaw remain concealed to deter further exploitation.
Other vulnerabilities weaponized by the AIRASHI botnet include CVE-2013-3307, CVE-2016-20016, CVE-2017-5259, CVE-2018-14558, CVE-2020-25499, CVE-2020-8515, CVE-2022-3573, CVE-2022-40005, CVE-2022-44149, CVE-2023-28771, and flaws targeting AVTECH IP cameras, LILIN DVRs, and Shenzhen TVT systems.
“The AIRASHI operator has been showcasing the botnet’s DDoS performance metrics on Telegram,” XLab disclosed. Historical analysis indicates the botnet’s attack potency consistently ranges between 1 and 3 Tbps.
A significant concentration of compromised devices has been detected in regions such as Brazil, Russia, Vietnam, and Indonesia, while primary targets of the botnet’s assaults include China, the United States, Poland, and Russia.
AIRASHI Botnet’s Evolution and Expansion
A derivative of the AISURU (also referred to as NAKOTNE) botnet, AIRASHI was initially identified in August 2024, linked to a DDoS onslaught targeting the Steam platform during the release of Black Myth: Wukong. This botnet, continually modified, now incorporates proxyware capabilities, signaling a diversification of its functionalities beyond DDoS facilitation.
AISURU temporarily ceased its attack activities in September 2024, only to resurface in October with a streamlined variant labeled “kitty.” This iteration simplified its network protocol and adopted SOCKS5 proxies for command-and-control (C2) communication. Subsequently, by November, it evolved into AIRASHI.
The AIRASHI botnet exists in at least two distinct variants:
- AIRASHI-DDoS: Detected in late October, this version is predominantly focused on DDoS attacks, with added capabilities for executing arbitrary commands and reverse shell operations.
- AIRASHI-Proxy: First identified in December, this is an adaptation of AIRASHI-DDoS with integrated proxy functionality.
To fortify its operations, AIRASHI leverages a novel network protocol using HMAC-SHA256 and CHACHA20 algorithms for communication. The DDoS-focused variant supports 13 message types, while the proxy-focused variant employs five.
Weaponization of IoT Devices for Botnet Expansion
The findings underscore a persistent trend: adversaries increasingly exploit IoT device vulnerabilities as entry points and resources for constructing botnets capable of amplifying the impact of DDoS attacks.
In tandem with AIRASHI, QiAnXin spotlighted a cross-platform backdoor, dubbed alphatronBot, targeting Chinese governmental and enterprise systems. Active since early 2023, alphatronBot assimilates Windows and Linux systems into a botnet, utilizing a legitimate peer-to-peer (P2P) chat application called PeerChat for communication among infected nodes.
The decentralized architecture of this P2P protocol enables attackers to issue commands from any infected device without relying on a centralized C2 server, significantly enhancing the botnet’s resilience against disruption.
“The backdoor’s network comprises over 700 P2P nodes spanning 80 countries, including compromised MikroTik routers, Hikvision cameras, virtual private servers (VPS), D-Link routers, and customer-premises equipment (CPE),” the report states.
Covert Payload Delivery Frameworks
Additionally, XLab outlined the DarkCracks framework, a clandestine payload delivery mechanism exploiting compromised GLPI and WordPress systems. DarkCracks serves as a downloader and C2 server, prioritizing the collection of sensitive information, sustained access to high-performance devices, and utilizing these systems as relays to obscure the attacker’s activities.
The compromised infrastructure, often critical, encompasses school websites, public transportation networks, and penitentiary visitor management systems.
“DarkCracks adeptly exploits these systems to pilfer sensitive data and maintain long-term operational capabilities, while employing them as intermediaries to control other targets or distribute malicious payloads, thereby camouflaging its operators’ footprints,” XLab concluded.
This ongoing saga highlights the necessity for enhanced IoT security measures and proactive vulnerability management to mitigate emerging threats.