A ransomware group known as ‘ShadowSyndicate’ has been observed scanning for servers vulnerable to CVE-2024-23334, a directory traversal vulnerability in the aiohttp Python library. Aiohttp is an open-source library built on Python’s asynchronous I/O framework, Asyncio, and is widely used for handling concurrent HTTP requests.
CVE-2024-23334, a high-severity flaw affecting aiohttp versions prior to 3.9.2, allows remote attackers to access files on vulnerable servers. The vulnerability arises from inadequate validation of ‘follow_symlinks’ settings, enabling unauthorized access to files outside the server’s static root directory.
A proof of concept (PoC) exploit for CVE-2024-23334 was released on GitHub in February 2024, with a detailed instructional video appearing on YouTube shortly after. The analysts have detected exploitation attempts starting from February 29, originating from five IP addresses, one of which was previously linked to ShadowSyndicate.
ShadowSyndicate, an opportunistic ransomware group, has been active since July 2022 and is believed to be affiliated with multiple ransomware operations. Despite the scanning activity, it is unclear whether these attempts have led to successful breaches.
To mitigate the risk of exploitation, ensure your aiohttp library is updated to version 3.9.2 or newer, which addresses the CVE-2024-23334 vulnerability. Regularly monitor your servers for suspicious activity and implement strong authentication mechanisms to prevent unauthorized access. Consider using a web application firewall (WAF) to filter and block malicious traffic targeting your servers.