Full Report
Threat actors are exploiting an unspecified zero-day vulnerability in Cambium Networks cnPilot routers to deploy a variant of the AISURU botnet called AIRASHI to carry out distributed denial-of-service (DDoS) attacks. According to QiAnXin XLab, the attacks have leveraged the security flaw since June 2024. Additional details about the shortcomings have been withheld to prevent further abuse. Some
Analysis Summary
# Vulnerability: Zero-Day in Cambium Networks cnPilot Routers Leveraged by AIRASHI Botnet
## CVE Details
- CVE ID: Not specified (Zero-day)
- CVSS Score: Not specified
- CWE: Not specified
## Affected Systems
- Products: Cambium Networks cnPilot routers
- Versions: Unspecified (Affected by the zero-day vulnerability)
- Configurations: Not specified
## Vulnerability Description
Threat actors are actively exploiting an unpatched, unspecified zero-day vulnerability in Cambium Networks cnPilot routers. This exploitation is used to infect the devices and induct them into the **AIRASHI** botnet variant (a successor to the AISURU botnet). The primary objective of the compromised devices appears to be participation in large-scale Distributed Denial-of-Service (DDoS) attacks, with observed capacities reaching 1-3 Tbps.
The AIRASHI botnet utilizes a new network protocol featuring **HMAC-SHA256** and **CHACHA20** for command and control (C2) communications, which are discovered via DNS queries. The variant focused on DDoS (**AIRASHI-DDoS**) also supports arbitrary command execution and reverse shell access. A secondary variant (**AIRASHI-Proxy**) includes SOCKS5 proxy functionality.
## Exploitation
- Status: **Exploited in the wild** (Since June 2024, according to QiAnXin XLab)
- Complexity: Not specified, but exploitation of a zero-day in IoT devices generally suggests low to medium complexity for initial compromise.
- Attack Vector: Likely Network (Remote exploitation of the router firmware/service).
## Impact
- Confidentiality: Unknown (Implies risk due to arbitrary command execution support)
- Integrity: High (Device compromise leading to botnet enlistment and attack participation)
- Availability: High (Device used in large-scale DDoS attacks; potential device instability/unavailability)
## Remediation
### Patches
- No official patch information is available as this is an active, unspecified zero-day vulnerability.
### Workarounds
- **Network Segmentation/Isolation:** Restrict administrative access to cnPilot routers to trusted networks only.
- **Monitoring:** Implement enhanced monitoring on network perimeters and internal networks for unusual outbound traffic patterns indicative of botnet activity or C2 communication.
- **Vendor Advisories:** Continuously monitor Cambium Networks for any official security advisories regarding this flaw or associated firmware updates.
## Detection
- **Indicators of Compromise (IoCs):** Traffic attempting to communicate with known C2 infrastructure associated with the AIRASHI or AISURU botnets; unusual outbound connections utilizing proprietary or non-standard C2 protocols (if deep packet inspection is available).
- **Detection Methods and Tools:** Network traffic analysis targeting unusual command/control protocols; vulnerability scanning for known older flaws leveraged by botnets (though the primary vector here is the zero-day); host-based analysis if remote shell access is achieved.
## References
- Vendor Advisories: None publicly available for the zero-day.
- Relevant links:
- [QiAnXin XLab Report on AIRASHI (Leveraged link)](blog.xlab.qianxin.com/large-scale-botnet-airashi-en/)
- [AISURU Botnet Details (Related)](blog.xlab.qianxin.com/more_ddos_details_on_steam_en/)
- [CVE-2013-3307 (Example of historical flaw used by botnets)](tenable.com/cve/CVE-2013-3307)
- [CVE-2016-20016 (Example of historical flaw used by botnets)](nvd.nist.gov/vuln/detail/cve-2016-20016)
- [CVE-2017-5259 (Example of historical flaw used by botnets)](nvd.nist.gov/vuln/detail/cve-2017-5259)
- [CVE-2018-14558 (Example of historical flaw used by botnets)](nvd.nist.gov/vuln/detail/cve-2018-14558)
- [CVE-2020-25499 (Example of historical flaw used by botnets)](nvd.nist.gov/vuln/detail/CVE-2020-25499)
- [CVE-2020-8515 (Example of historical flaw used by botnets)](nvd.nist.gov/vuln/detail/cve-2020-8515)
- [CVE-2022-3573 (Example of historical flaw used by botnets)](nvd.nist.gov/vuln/detail/cve-2022-3573)
- [CVE-2022-40005 (Example of historical flaw used by botnets)](nvd.nist.gov/vuln/detail/CVE-2022-40005)
- [CVE-2022-44149 (Example of historical flaw used by botnets)](nvd.nist.gov/vuln/detail/CVE-2022-44149)
- [CVE-2023-28771 (Example of historical flaw used by botnets)](nvd.nist.gov/vuln/detail/cve-2023-28771)