Ransomware

ShadowSyndicate Exploits Aiohttp Vulnerability

Aiohttp widely used in the US, Germany, Spain is a prime target for 's exploits.

by Ashish Khaitan March 15, 2024 in Dark Web News, Firewall Daily Reading Time: 2 mins read 0

592 SHARES 3.3k VIEWS Share on LinkedInShare on Twitter

In the final week of January 2024, CGSI (Cyble Global Sensor Intelligence) uncovered a potential exploitation of an by the notorious ShadowSyndicate group (formerly Infra Storm). This vulnerability, identified as , prompted urgent attention within cybersecurity circles due to its critical nature.

The Aiohttp vulnerability, affecting versions of aiohttp before 3.9.2, raised concerns as it allowed unauthenticated, remote attackers to breach servers and access sensitive information through directory traversal. 

Aiohttp, renowned for its versatility in asynchronous tasks within Python, became a target for exploitation by threat actors due to its widespread usage, with over 43,000 instances detected globally.

ShadowSyndicate Group Exploits Aiohttp Vulnerability

Instances of aiohttp were particularly prevalent in countries such as the United States, Germany, and Spain, making them prime targets for malicious actors like the ShadowSyndicate group. Immediate action, such as patching to the latest version, was strongly advised to mitigate the risk posed by this vulnerability.

According to Cyble Research and Intelligence Labs (CRIL), the severity of CVE-2024-23334 was highlighted by its high CVSS score of 7.5, indicating the potential for damage if exploited.

Source: nvd.nist.gov

CGSI's findings revealed a Proof of Concept (PoC) for the exploit circulating online, accompanied by instructional videos demonstrating its functionality. Shortly after its public availability, CGSI detected multiple scanning attempts aimed at exploiting the vulnerability.

Technical Analysis of the Aiohttp Vulnerability

Technical analysis revealed that the vulnerability stemmed from aiohttp's failure to properly validate file paths, particularly when symbolic links were involved. This oversight opened the door to unauthorized access to sensitive files, even in the absence of symbolic links.

Source: VirusTotal

Further investigation into the scanning attempts led to the attribution of one IP address, 81[.]19[.]136[.]251, to the ShadowSyndicate group. This group, known for its involvement in ransomware operations, posed a significant threat to organizations worldwide. Their history of ransomware incidents, dating back to 2022, highlighted their proficiency in carrying out cyberattacks for financial gain.

The incidents involving ShadowSyndicate, ranging from Quantum ransomware to Nokoyawa and ALPHV ransomware campaigns, showcased their adaptability and persistence in the cybercrime domain. Despite no observed attacks utilizing the Aiohttp vulnerability at the time, the scanning attempts by ShadowSyndicate emphasized the potential threat posed by unpatched systems.

Source

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button