A variant of the AISURU botnet called AIRASHI is being deployed on Cambium Networks cnPilot routers, which are then being used to carry out distributed denial-of-service (DDoS) attacks. The attackers are engaging multiple sets of flaws to execute the distributed denial-of-service (DDoS) botnet. The exploited vulnerabilities include CVE-2013-3307, CVE-2016-20016, CVE-2017-5259, CVE-2018-14558, CVE-2020-25499, CVE-2020-8515, CVE-2022-3573, CVE-2022-40005, CVE-2022-44149, CVE-2023-28771, as well as those impacting AVTECH IP cameras, LILIN DVRs, and Shenzhen TVT devices.
The botnet targeted endpoints based out of countries including Brazil, Russia, Vietnam, and Indonesia, while China, the United States, Poland, and Russia became the primary targets. AIRASHI is a variant of the AISURU (aka NAKOTNE) botnet that was involved in connection with a DDoS attack targeting Steam. AIRASHI has two different functionalities:
AIRASHI-DDoS: It primarily focuses on DDoS attacks but also supports arbitrary command execution and reverse shell access.
AIRASHI-Proxy: This is a modified version of AIRASHI-DDoS with proxy functionality.
npilotThe botnet relies on a completely new network protocol that involves HMAC-SHA256 and CHACHA20 algorithms for communication. Furthermore, while AIRASHI-Proxy supports only 5 message types, AIRASHI-DDoS supports 13. Researchers have observed that hackers on a large scale exploit different vulnerabilities in IoT devices both as an initial access vector and for building botnets that use them to put added weight behind powerful DDoS attacks. Its primary objectives are to gather sensitive information from infected devices, maintain long-term access, and further utilize the compromised devices as relay nodes to control other devices or deliver malicious payloads, effectively obfuscating the attacker’s footprint.
Apart from keeping devices patched to their latest versions, there is not much that users or organizations can do to stay safe from getting infected and being pulled into the botnet.
