A notorious ransomware group called ‘ShadowSyndicate’ has been actively scanning the digital expanse for networks susceptible to a significant security flaw identified as CVE-2024-23334.
This particular vulnerability is nestled within the aiohttp library, a tool integral to the Python programming landscape, known for its asynchronous capabilities in handling HTTP requests.
Understanding Aiohttp and Its Impact
Aiohttp stands out in the Python community for its asynchronous I/O framework, Asyncio, which enables it to manage a vast number of concurrent HTTP requests efficiently.
This feature is particularly beneficial for web developers, backend engineers, and data scientists who are engaged in developing high-performance web applications and services that pull data from numerous external APIs.
The Emergence of CVE-2024-23334
The vulnerability, CVE-2024-23334, is a critical path traversal issue that affects all versions of aiohttp up to 3.9.1.
The core of the issue lies in the inadequate validation mechanisms when ‘follow_symlinks’ is enabled for static routes, thereby granting unauthorized individuals the ability to access files beyond the designated static root directory of the server.
Recognizing the severity of this flaw, the developers of aiohttp promptly released version 3.9.2 on January 28, 2024, to address this vulnerability.
Exploitation Attempts in the Wild
The cybersecurity community witnessed a concerning uptick in exploitation attempts following the public release of a proof of concept (PoC) exploit on GitHub in late February 2024. This was further compounded by a detailed video tutorial that surfaced on YouTube, providing step-by-step guidance on exploiting this vulnerability.
Cyble, a renowned threat analysis firm, reported detection of scanning activities aimed at identifying servers vulnerable to CVE-2024-23334. These scans, which escalated in frequency throughout March, were traced back to five distinct IP addresses.
Notably, one of these IPs had previously been linked to the ‘ShadowSyndicate’ group in a report by Group-IB in September 2023. This group, known for its financial motivations, has been associated with various ransomware strains and is believed to operate as an affiliate for multiple ransomware entities.
Global Exposure and Risk Assessment
According to ODIN, Cyble’s internet scanning tool, there are approximately 44,170 aiohttp instances exposed on the internet globally.
A significant portion of these instances are based in the United States, making it the most affected region, followed by Germany, Spain, and other countries.
Exposed instances of aiohttp (Source: Cyble)
However, due to the inability to discern the versions of these exposed instances, the exact number of networks at risk remains uncertain.
Final Word
Individuals and organizations alike are urged to review their use of the aiohttp library and ensure that they are running the latest, secure version. Staying informed and proactive in cybersecurity practices is important in safeguarding against the ever-present threat of digital exploitation.
Anas Hasan
March 18, 2024
1 month ago
