ShadowSyndicate Hackers Exploiting Aiohttp Vulnerability To Access Sensitive Data

A new Aiohttp vulnerability has been discovered, which the threat actor ShadowSyndicate exploits.

Aiohttp is an asynchronous HTTP client/server framework that has extensive capabilities and flexibility to make aiohttp perform various asynchronous tasks. 

The ShadowSyndicate threat actor operates as a Ransomware-as-a-Service affiliate and has been active since July 2022.

The threat actor was responsible for several ransomware activities, including the Quantum, Nokoyawa, and ALPHV ransomware activities.

However, this vulnerability has been assigned CVE-2024-23334, and its severity has been given as 7.5 (High).

More than 43,000 internet-exposed instances have been identified worldwide using aiohttp framework.

Additionally, the aiohttp maintainers have provided a patch to fix this vulnerability.

Technical Analysis – CVE-2024-23334

Aiohttp framework is specifically designed to offer asynchronous HTTP client and server capabilities, which initially require the setting up of static routes for serving files in order to specify the root directory containing the static files.

Further, the framework has the option to allow follow_symlinks, which can be used to make the server follow symbolic links outside of the static root directory.

If the follow_symlinks is set to True, the path to be followed is not validated, giving rise to unauthorized arbitrary file reading vulnerability.

According to the reports shared with Cyber Security News, this CVE-2024-23334 is associated with directory traversal which could allow an unauthenticated remote threat actor to access sensitive information from arbitrary files on the vulnerable server.

This is done by traversing through the /static directory with the enabled follow_symlink option.

Moreover, the exposed instances have been highly found in the United States (6.93k), Germany (3.48k), Spain (2.48k), the United Kingdom (1.82k), Italy (1.81k), France (1.26k), Russia (1.25k) and China (1.16k).

In addition to this, a proof-of-concept for this vulnerability has also been released alongside a comprehensive YouTube video that demonstrates the exploitation technique.

According to the exploit code, the researcher has set up a server that contains the ‘follow_symlink’ option enabled.

This allows the researcher to perform a directory traversal and read an arbitrary file on the D:\ volume of the server.

Users of this aiohttp framework are recommended to upgrade to the latest version in order to prevent this vulnerability from getting exploited by threat actors.

Indicators of Compromise

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.