ShadowSyndicate Hackers Exploiting Aiohttp Vulnerability

A new Aiohttp vulnerability has been discovered, which the threat actor ShadowSyndicate exploits.

Aiohttp is an asynchronous HTTP client/server framework that has extensive capabilities and flexibility to make aiohttp perform various asynchronous tasks. 

The ShadowSyndicate threat actor operates as a Ransomware-as-a-Service affiliate and has been active since July 2022.

The threat actor was responsible for several ransomware activities, including the Quantum, Nokoyawa, and ALPHV ransomware activities.

However, this vulnerability has been assigned CVE-2024-23334, and its severity has been given as 7.5 (High).

More than 43,000 internet-exposed instances have been identified worldwide using aiohttp framework.

Additionally, the aiohttp maintainers have provided a patch to fix this vulnerability.

Technical Analysis – CVE-2024-23334

Aiohttp framework is specifically designed to offer asynchronous HTTP client and server capabilities, which initially require the setting up of static routes for serving files in order to specify the root directory containing the static files.

Further, the framework has the option to allow follow_symlinks, which can be used to make the server follow symbolic links outside of the static root directory.


Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

This is where the directory traversal vulnerability exists.

If the follow_symlinks is set to True, the path to be followed is not validated, giving rise to unauthorized arbitrary file reading vulnerability.

According to the reports shared with Cyber Security News, this CVE-2024-23334 is associated with directory traversal which could allow an unauthenticated remote threat actor to access sensitive information from arbitrary files on the vulnerable server.

This is done by traversing through the /static directory with the enabled follow_symlink option.

Moreover, the exposed instances have been highly found in the United States (6.93k), Germany (3.48k), Spain (2.48k), the United Kingdom (1.82k), Italy (1.81k), France (1.26k), Russia (1.25k) and China (1.16k).

Countries with vulnerable aiohttp servers (Source: Cyble)

In addition to this, a proof-of-concept for this vulnerability has also been released alongside a comprehensive YouTube video that demonstrates the exploitation technique.

According to the exploit code, the researcher has set up a server that contains the ‘follow_symlink’ option enabled.

This allows the researcher to perform a directory traversal and read an arbitrary file on the D:\ volume of the server.

Users of this aiohttp framework are recommended to upgrade to the latest version in order to prevent this vulnerability from getting exploited by threat actors.

Indicators of Compromise

Indicators  Indicator Type  Description 
81[.]19[.]136[.]251  IP  IP observed attempting to exploit CVE-2024-23334 
157[.]230[.]143[.]100  IP  IP observed attempting to exploit CVE-2024-23334 
170[.]64[.]174[.]95  IP  IP observed attempting to exploit CVE-2024-23334 
103[.]151[.]172[.]28  IP  IP observed attempting to exploit CVE-2024-23334 
143[.]244[.]188[.]172  IP  IP observed attempting to exploit CVE-2024-23334 

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *