AIRASHI Botnet
A zero-day vulnerability in Cambium Networks' cnPilot routers has become the latest tool for cybercriminals deploying an AISURU botnet variant known as AIRASHI. This campaign, active since June 2024, exploits the flaw to orchestrate powerful Distributed Denial-of-Service (DDoS) attacks. Security researchers have withheld specifics about the vulnerability to limit its misuse while investigations are ongoing.
Table of Contents
A History of Exploited Vulnerabilities
The AIRASHI botnet is not limited to a single attack vector. It weaponizes a series of vulnerabilities, including CVE-2013-3307, CVE-2016-20016, CVE-2017-5259, CVE-2018-14558, CVE-2020-25499, CVE-2020-8515, CVE-2022-3573, CVE-2022-40005, CVE-2022-44149, CVE-2023-287 and other flaws found in AVTECH IP cameras, LILIN DVRs and Shenzhen TVT devices. By exploiting this broad spectrum of weaknesses, AIRASHI continues to grow its reach and sophistication.
DDoS Attack Capabilities: A Closer Look
The operators behind AIRASHI are not shy about their activities, posting test results of their botnet's DDoS capabilities on Telegram. Historical data reveals its attack capacity stabilizes around 1-3 Tbps. Geographically, most compromised devices are located in Brazil, Russia, Vietnam and Indonesia. However, targets are concentrated in regions like China, the United States, Poland, and Russia, where the botnet's harmful operations have caused the most disruption.
The Evolution of AISURU to AIRASHI
AIRASHI stems from the AISURU botnet, which was previously identified in August 2024 during a high-profile DDoS attack on Steam, which coincided with the release of the game Black Myth: Wukong. After temporarily halting its operations in September 2024, the botnet re-emerged with updated features codenamed "kitty" and was further revamped as AIRASHI by November.
A Dual-Purpose Botnet: AIRASHI-DDoS and AIRASHI-Proxy
AIRASHI operates in two distinct forms:
- AIRASHI-DDoS: Detected in late October 2024, this variant focuses on DDoS attacks but extends its capabilities to include arbitrary command execution and reverse shell access.
- AIRASHI-Proxy: Unveiled in December 2024, this variation adds proxy functionality, signaling a diversification of services beyond DDoS operations.
Advancing Communication and Encryption
To ensure secure and efficient operations, AIRASHI employs a new network protocol leveraging HMAC-SHA256 and CHACHA20 encryption algorithms. While AIRASHI-DDoS supports 13 distinct message types, AIRASHI-Proxy uses a more streamlined approach with five. Additionally, the botnet dynamically adjusts its methods to retrieve Command-and-Control (C2) server details via DNS queries.
Botnets and IoT Devices: A Persistent Cyber Threat
The findings highlight cybercriminals' persistent exploitation of IoT device vulnerabilities. IoT devices serve as both an entry point for bad actors and the foundation for building robust botnets. By leveraging these compromised devices, threat actors amplify the power of DDoS attacks, showcasing the critical need for enhanced device security in the IoT ecosystem.
