In the final week of January 2024, CGSI (Cyble Global Sensor Intelligence) uncovered a potential exploitation of an Aiohttp vulnerability by the notorious ShadowSyndicate group (formerly Infra Storm). This vulnerability, identified as CVE-2024-23334, prompted urgent attention within cybersecurity circles due to its critical nature.
The Aiohttp vulnerability, affecting versions of aiohttp before 3.9.2, raised concerns as it allowed unauthenticated, remote attackers to breach servers and access sensitive information through directory traversal.
Aiohttp, renowned for its versatility in asynchronous tasks within Python, became a target for exploitation by threat actors due to its widespread usage, with over 43,000 instances detected globally.
ShadowSyndicate Group Exploits Aiohttp Vulnerability
Instances of aiohttp were particularly prevalent in countries such as the United States, Germany, and Spain, making them prime targets for malicious actors like the ShadowSyndicate group. Immediate action, such as patching to the latest version, was strongly advised to mitigate the risk posed by this vulnerability.
According to Cyble Research and Intelligence Labs (CRIL), the severity of CVE-2024-23334 was highlighted by its high CVSS score of 7.5, indicating the potential for damage if exploited.
CGSI’s findings revealed a Proof of Concept (PoC) for the exploit circulating online, accompanied by instructional videos demonstrating its functionality. Shortly after its public availability, CGSI detected multiple scanning attempts aimed at exploiting the vulnerability.
Technical Analysis of the Aiohttp Vulnerability
Technical analysis revealed that the vulnerability stemmed from aiohttp’s failure to properly validate file paths, particularly when symbolic links were involved. This oversight opened the door to unauthorized access to sensitive files, even in the absence of symbolic links.
Further investigation into the scanning attempts led to the attribution of one IP address, 81[.]19[.]136[.]251, to the ShadowSyndicate group. This group, known for its involvement in ransomware operations, posed a significant threat to organizations worldwide. Their history of ransomware incidents, dating back to 2022, highlighted their proficiency in carrying out cyberattacks for financial gain.
The incidents involving ShadowSyndicate, ranging from Quantum ransomware to Nokoyawa and ALPHV ransomware campaigns, showcased their adaptability and persistence in the cybercrime domain. Despite no observed attacks utilizing the Aiohttp vulnerability at the time, the scanning attempts by ShadowSyndicate emphasized the potential threat posed by unpatched systems.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
