Zero-Day Attack Unleashes Massive 3 Tbps AIRASHI Botnet on Cambium Routers

Zero-Day Attack Unleashes Massive 3 Tbps AIRASHI Botnet on Cambium Routers

Zero-Day Vulnerability in Cambium Networks Routers Exploited by AIRASHI Botnet

A new variant of the AISURU botnet, dubbed AIRASHI, is actively exploiting an undisclosed zero-day vulnerability in Cambium Networks cnPilot routers to conduct large-scale DDoS attacks. QiAnXin XLab reports that these attacks have been ongoing since June 2024.

The botnet leverages multiple vulnerabilities, including several CVEs affecting various IoT devices such as AVTECH IP cameras, LILIN DVRs, and Shenzhen TVT devices. AIRASHI’s attack capacity consistently maintains 1-3 Tbps, with compromised devices primarily located in Brazil, Russia, Vietnam, and Indonesia. Main targets include China, the United States, Poland, and Russia.

AIRASHI exists in two variants:
– AIRASHI-DDoS: Focuses on DDoS attacks with additional capabilities for command execution and reverse shell access
– AIRASHI-Proxy: A modified version with proxy functionality

Technical Specifications:
– Implements new network protocols using HMAC-SHA256 and CHACHA20 algorithms
– AIRASHI-DDoS supports 13 message types
– AIRASHI-Proxy supports 5 message types
– Uses DNS queries for C2 server communication

The botnet evolved from AISURU (NAKOTNE), which temporarily suspended operations in September 2024 before returning with enhanced features. This development highlights the ongoing threat of IoT device exploitation for building powerful botnets capable of significant DDoS attacks.

Related developments include the discovery of alphatronBot, a cross-platform backdoor targeting Chinese institutions, and DarkCracks, a payload delivery framework exploiting compromised GLPI and WordPress sites.

Share This Article