Saturday, December 14, 2024
HomeCVE/vulnerabilityShadowSyndicate Hackers Exploiting Aiohttp Vulnerability To Access Sensitive Data

ShadowSyndicate Hackers Exploiting Aiohttp Vulnerability To Access Sensitive Data

Published on

SIEM as a Service

A new Aiohttp vulnerability has been discovered, which the threat actor ShadowSyndicate exploits.

Aiohttp is an asynchronous HTTP client/server framework that has extensive capabilities and flexibility to make aiohttp perform various asynchronous tasks. 

The ShadowSyndicate threat actor operates as a Ransomware-as-a-Service affiliate and has been active since July 2022.

- Advertisement - SIEM as a Service

The threat actor was responsible for several ransomware activities, including the Quantum, Nokoyawa, and ALPHV ransomware activities.

However, this vulnerability has been assigned CVE-2024-23334, and its severity has been given as 7.5 (High).

More than 43,000 internet-exposed instances have been identified worldwide using aiohttp framework.

Additionally, the aiohttp maintainers have provided a patch to fix this vulnerability.

Technical Analysis – CVE-2024-23334

Aiohttp framework is specifically designed to offer asynchronous HTTP client and server capabilities, which initially require the setting up of static routes for serving files in order to specify the root directory containing the static files.

Further, the framework has the option to allow follow_symlinks, which can be used to make the server follow symbolic links outside of the static root directory.

Document

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

This is where the directory traversal vulnerability exists.

If the follow_symlinks is set to True, the path to be followed is not validated, giving rise to unauthorized arbitrary file reading vulnerability.

According to the reports shared with Cyber Security News, this CVE-2024-23334 is associated with directory traversal which could allow an unauthenticated remote threat actor to access sensitive information from arbitrary files on the vulnerable server.

This is done by traversing through the /static directory with the enabled follow_symlink option.

Moreover, the exposed instances have been highly found in the United States (6.93k), Germany (3.48k), Spain (2.48k), the United Kingdom (1.82k), Italy (1.81k), France (1.26k), Russia (1.25k) and China (1.16k).

Countries with vulnerable aiohttp servers (Source: Cyble)

In addition to this, a proof-of-concept for this vulnerability has also been released alongside a comprehensive YouTube video that demonstrates the exploitation technique.

According to the exploit code, the researcher has set up a server that contains the ‘follow_symlink’ option enabled.

This allows the researcher to perform a directory traversal and read an arbitrary file on the D:\ volume of the server.

Users of this aiohttp framework are recommended to upgrade to the latest version in order to prevent this vulnerability from getting exploited by threat actors.

Indicators of Compromise

Indicators Indicator Type Description 
81[.]19[.]136[.]251 IP IP observed attempting to exploit CVE-2024-23334 
157[.]230[.]143[.]100 IP IP observed attempting to exploit CVE-2024-23334 
170[.]64[.]174[.]95 IP IP observed attempting to exploit CVE-2024-23334 
103[.]151[.]172[.]28 IP IP observed attempting to exploit CVE-2024-23334 
143[.]244[.]188[.]172 IP IP observed attempting to exploit CVE-2024-23334 

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...