Hackers Exploit Zero-Day Vulnerability in cnPilot Routers to Deploy AIRASHI DDoS Botnet

Cybersecurity researchers have identified an active exploitation of an undisclosed zero-day vulnerability in Cambium Networks' cnPilot routers. Threat actors are leveraging this flaw to deploy a variant of the AISURU botnet, known as AIRASHI, facilitating large-scale distributed denial-of-service (DDoS) attacks.

Evolution of the AIRASHI Botnet

The AIRASHI botnet has undergone significant evolution since its initial detection. In August 2024, the AISURU botnet executed a DDoS attack targeting the distribution platforms of the game Black Myth: Wukong, exploiting a zero-day vulnerability in cnPilot routers and utilizing RC4 encryption for sample strings. After a brief hiatus in September, the botnet resurfaced in October under the moniker "kitty," and was subsequently updated in November to the current AIRASHI variant. The latest iteration employs ChaCha20 encryption for command-and-control (C2) communications, coupled with HMAC-SHA256 verification, and boasts a diverse range of IP resources for its C2 servers, enhancing its resilience against takedown efforts.

Technical Details and Capabilities

The AIRASHI botnet propagates through multiple vectors, including zero-day vulnerabilities, known (n-day) vulnerabilities, and weak Telnet passwords. It exploits a variety of security flaws, such as CVE-2013-3307 and CVE-2016-20016, among others. The botnet's operators have demonstrated its attack capabilities on social media platforms, showcasing DDoS attack strengths ranging from 1 to 3 terabits per second (Tbps).

The latest version of AIRASHI includes functionalities for DDoS attacks, operating system command execution, and proxy services. Notably, the botnet communicates with its C2 server through SOCKS5 proxies, using specific credentials that, while not encrypted, facilitate various stages of communication, including heartbeat signals and command reception.

Detection and Mitigation

To detect potential exploitation attempts of the zero-day vulnerability affecting cnPilot routers, security tools such as Snort have implemented rules that identify malicious traffic by searching for specific keywords like "execute_script," "sys_list," and "ASPSESSIONID" within network packets. Deploying these rules within intrusion detection or prevention systems enables monitoring of network traffic for signs of this exploit, allowing for proactive mitigation of potential attacks.

Recommendations for Users

Users of cnPilot routers are strongly advised to:

• Apply the latest firmware updates provided by Cambium Networks to address known vulnerabilities.
• Change default passwords to strong, unique credentials to prevent unauthorized access.
• Disable unnecessary remote access features to reduce potential attack vectors.
• Implement robust network monitoring to detect and respond to suspicious activities promptly.

Conclusion

The exploitation of a zero-day vulnerability in cnPilot routers by the AIRASHI botnet underscores the critical importance of maintaining up-to-date security measures and promptly addressing known vulnerabilities. By adhering to recommended security practices, users can significantly mitigate the risk of their devices being co-opted into malicious botnet activities.

Sources

• Hackers Exploit Zero-Day in cnPilot Routers to Deploy AIRASHI DDoS Botnet
• AIRASHI Botnet Exploiting 0-Day Vulnerabilities In Large Scale DDoS Attacks