ShadowSyndicate, a notorious ransomware group, has been detected scanning for servers vulnerable to CVE-2024-23334, an exploit targeting a directory traversal flaw within the aiohttp Python library.
Aiohttp, a widely utilized open-source library, is built atop Python's asynchronous I/O framework, Asyncio, enabling efficient handling of concurrent HTTP requests without traditional thread-based networking. This library finds extensive use among tech firms, web developers, backend engineers, and data scientists for constructing high-performance web applications and services that aggregate data from multiple external APIs.
In response to the identified vulnerability, aiohttp released version 3.9.2 on January 28, 2024, specifically addressing CVE-2024-23334. This high-severity flaw, affecting all aiohttp versions from 3.9.1 and older, enables unauthenticated remote attackers to access files on vulnerable servers due to inadequate validation when 'follow_symlinks' is set to 'True' for static routes, thereby permitting unauthorized access to files beyond the server's static root directory.
Subsequently, a researcher published a proof of concept (PoC) exploit for CVE-2024-23334 on GitHub on February 27, 2024, accompanied by a detailed instructional video on YouTube at the onset of March.
Cyble's threat analysts have observed exploitation attempts targeting CVE-2024-23334 since February 29, escalating into March. These scans have originated from five IP addresses, one of which was previously linked to ShadowSyndicate in a September 2023 report by Group-IB. ShadowSyndicate, an opportunistic and financially motivated threat actor active since July 2022, has been associated with various ransomware strains, including Quantum, Nokoyawa, BlackCat/ALPHV, Clop, Royal, Cactus, and Play. Group-IB suspects ShadowSyndicate to be an affiliate collaborating with multiple ransomware operations.
Cyble's findings suggest that threat actors may be targeting servers employing vulnerable versions of the aiohttp library, though the extent of potential breaches remains uncertain. Cyble's internet scanner ODIN reveals approximately 44,170 internet-exposed aiohttp instances globally, with the majority located in the United States, followed by Germany, Spain, the UK, Italy, France, Russia, and China. Determining the specific versions of these exposed instances proves challenging, hindering the assessment of the number of vulnerable servers.
Regrettably, the prolonged use of outdated versions of open-source libraries poses a prevalent challenge due to various practical constraints in identifying and patching them. This situation renders such libraries valuable targets for threat actors, who exploit them in attacks long after security updates have been released.
