Hackers exploit Aiohttp bug to find vulnerable networks

Hackers exploit Aiohttp bug to find vulnerable networks

March 16, 2024 at 04:48PM

ShadowSyndicate, a ransomware actor, has targeted servers vulnerable to CVE-2024-23334 in the aiohttp Python library. The vulnerability allows remote attackers to access files on affected servers. Exploitation attempts were observed, originating from five IP addresses connected to ShadowSyndicate. Cyble’s data shows about 44,170 exposed aiohttp instances globally, making the extent of the threat unclear.

From the meeting notes, here are the key takeaways:

– A ransomware actor known as ‘ShadowSyndicate’ has been observed scanning for servers vulnerable to a directory traversal vulnerability in the aiohttp Python library, specifically CVE-2024-23334.
– Aiohttp is utilized by various professionals, including tech firms, web developers, backend engineers, and data scientists, to build high-performance web applications and services that aggregate data from multiple external APIs.
– A high-severity path traversal flaw impacting aiohttp versions 3.9.1 and older was addressed in aiohttp version 3.9.2, released on January 28, 2024.
– A researcher released a proof of concept (PoC) exploit for CVE-2024-23334 on GitHub, and a detailed video showcasing step-by-step exploitation instructions was published on YouTube.
– Cyble’s threat analysts reported that exploitation attempts targeting CVE-2024-23334 started on February 29 and continued at an increased rate into March, originating from five IP addresses, one of which was linked to the ShadowSyndicate ransomware actor.
– Compromised aiohttp instances are located worldwide, with the United States having the highest percentage of exposed instances, followed by Germany, Spain, the UK, Italy, France, Russia, and China.
– The version of the internet-exposed instances cannot be discerned, making it difficult to determine the number of vulnerable aiohttp servers.
– Open-source libraries like aiohttp are often used in outdated versions for extended periods, making them more valuable to threat actors even after security updates have been made available.

Please let me know if there is anything else you need assistance with.

Full Article