The ransomware actor "ShadowSyndicate" was observed searching for servers that could be exposed to the aiohttp Python library's directory traversal vulnerability, CVE-2024-23334.
Aiohttp is an open-source toolkit designed to manage massively concurrent HTTP requests without the need for conventional thread-based networking. It is built on top of Python's Asyncio asynchronous I/O framework.
Tech companies, web developers, data scientists, and backend engineers use it to create high-performance web applications and services that combine data gathered from numerous external APIs.
On January 28, 2024, aiohttp published version 3.9.2, which addressed CVE-2024-23334, a high-severity path traversal issue that affects all versions of aiohttp from 3.9.1 and earlier and enables unauthenticated remote hackers to access files on susceptible servers.
When 'follow_symlinks' is set to 'True' for static routes, there is insufficient validation, which leads to an unauthorised access to files located outside the server's static root directory
On February 27, 2024, a researcher published a proof-of-concept (PoC) exploit for CVE-2024-23334 on GitHub, and a thorough video demonstrating step-by-step exploitation instructions was published on YouTube in early March.
Cyble's threat analysts indicate that their scanners detected exploitation attempts targeting CVE-2024-23334 beginning on February 29 and continuing at an increasing pace throughout March.
The scanning efforts originate from five IP addresses, one of which was identified in a Group-IB report from September 2023 as belonging to the Shadowsyndicate ransomware perpetrator.
ShadowSyndicate is an opportunistic, financially motivated threat actor who has been active since July 2022 and has been associated to an array of ransomware variants, including Quantum, Nokoyawa, BlackCat/ALPHV, Clop, Royal, Cactus, and Play.
Group-IB suspects the threat actor is an affiliate involved in numerous ransomware operations.
Cyble's findings, while not conclusive, suggests that threat actors may be conducting scans on servers using a compromised version of the aiohttp library. Whether or whether these scans result in breaches is unknown at this moment.
In terms of the attack surface, Cyble's internet scanner ODIN shows that there are around 44,170 internet-exposed aiohttp instances worldwide. The majority (15.8%) are in the United States, followed by Germany (8%), Spain (5.7%), the United Kingdom, Italy, France, Russia, and China.