Governance & Risk Management , Patch Management

Ransomware Hackers May Be Exploiting Aiohttp Library Bug

The Python Library Flaw Allows Directory Traversal Attacks
Ransomware Hackers May Be Exploiting Aiohttp Library Bug
Hackers, possibly from the ShadowSyndicate, are exploiting a Python library flaw. (Image: Shutterstock)

Hackers who are possibly members of a criminal group affiliated with numerous ransomware-as-a-service operations are exploiting a directory traversal vulnerability in a Python library that allows unauthenticated remote attackers access to sensitive information from server files.

Researchers from cybersecurity firm Cyble said they began detecting activity exploiting the vulnerability within days after someone on Feb. 27 posted a proof of concept and a YouTube video demonstrating how to use it.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

The vulnerability lies in aiohttp, a Python library for asynchronous HTTP clients and servers, built on asyncio library. It supports HTTP protocol and WebSockets, and it features middlewares, signals and pluggable routing for web servers.

The directory traversal vulnerability, tracked as CVE-2024-23334, rates 7.5 on the CVSS scale. It affects the aiohttp library due to a lack of proper validation when defining static routes for serving files.

The issue occurs specifically when the follow_symlinks option is set to true, enabling unauthorized access to files outside the specified root directory. This oversight grants threat actors the ability to exploit the framework, potentially compromising the integrity and confidentiality of server data.

Cyble identified over 43,000 internet-exposed aiohttp instances globally, and most of the servers were predominantly located in the United States, Germany, Spain and other Asian regions, including Russian and China.

Aiohttp released version 3.9.2 on Jan. 28 to address the bug.

Cyble said that researchers previously associated one of the IP addresses used by hackers to scan for vulnerable servers with the recently established ShadowSyndicate group, known for its involvement in ransomware operations (see: ShadowSyndicate: A New Player in the RaaS Landscape).

Cybersecurity firm Group-IB in September linked ShadowSyndicate infrastructure to attacks from Quantum ransomware, Nokoyawa and the Alphv ransomware hackers. Group-IB also identified, with a low degree of confidence, infrastructure overlaps linking ShadowSyndicate to the TrickBot, Ryuk, FIN7 and TrueBot malware operations.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.