ShadowSyndicate Exploits Aiohttp Bug to Target Vulnerable Networks

March 16, 2024

The ransomware group known as 'ShadowSyndicate' has been detected scanning for servers that are susceptible to a directory traversal vulnerability, CVE-2024-23334, in the aiohttp Python library. Aiohttp is an open-source library that was designed to manage large volumes of concurrent HTTP requests using Python's Asyncio framework. It is commonly used by tech firms, web developers, backend engineers, and data scientists to create high-performance web applications and services that gather data from several external APIs.

On January 28, 2024, aiohttp released an update, version 3.9.2, which addressed the high-severity path traversal flaw, CVE-2024-23334. This flaw affects all aiohttp versions from 3.9.1 and earlier, allowing unauthenticated remote attackers to gain access to files on servers that are vulnerable. The flaw originates from insufficient validation when 'follow_symlinks' is set to 'True' for static routes, which permits unauthorized access to files beyond the server's static root directory.

A proof of concept (PoC) exploit for CVE-2024-23334 was made public on GitHub on February 27, 2024, followed by a detailed instructional video on how to exploit the flaw, which was published on YouTube in early March. Cyble's threat analysts reported that their scanners detected exploitation attempts targeting CVE-2024-23334 from February 29 onwards, with the frequency of attempts increasing into March. The scanning attempts were traced back to five IP addresses, one of which was linked to the ShadowSyndicate ransomware group by Group-IB in a September 2023 report.

ShadowSyndicate is a financially-driven threat actor that has been active since July 2022. The group has been associated with various ransomware strains, including Quantum, Nokoyawa, BlackCat/ALPHV, Clop, Royal, Cactus, and Play. Group-IB suspects that ShadowSyndicate is an affiliate working in conjunction with multiple ransomware operations. Although Cyble's findings are not conclusive, they suggest that the threat actors may be conducting scans that target servers using a vulnerable version of the aiohttp library. However, it is currently unclear whether these scans will lead to breaches.

Cyble's internet scanner, ODIN, reveals that there are approximately 44,170 internet-exposed aiohttp instances globally. The majority (15.8%) are located in the United States, followed by Germany (8%), Spain (5.7%), and then the UK, Italy, France, Russia, and China. The version of the internet-exposed aiohttp instances is unknown, making it difficult to ascertain the number of servers that are vulnerable. Regrettably, open-source libraries are often used in outdated versions for extended periods due to various practical issues that hinder their identification and patching. This makes them a valuable target for threat actors who exploit them in attacks, even years after a security update has been issued.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.