ShadowSyndicate hackers exploit Aiohttp vulnerability for sensitive data theft

Home/BOTNET, Compromised, Exploitation, Security Advisory, Security Update, vulnerability/ShadowSyndicate hackers exploit Aiohttp vulnerability for sensitive data theft

ShadowSyndicate hackers exploit Aiohttp vulnerability for sensitive data theft

A directory traversal vulnerability (CVE-2024-23334) in aiohttp versions before 3.9.2 permits remote attackers to access sensitive files on the server by bypassing file reading validation within the root directory when ‘follow_symlinks’ is enabled.

What is Aiohttp?

Aiohttp is an asynchronous HTTP client/server framework built on top of Python’s asyncio library. It is designed for building web applications and performing HTTP requests in an asynchronous, non-blocking manner, making it well-suited for high-performance and scalable web services.

One of the most widely used Python libraries for asynchronous HTTP communication, aiohttp, has a directory traversal vulnerability (CVE-2024-23334) that can be exploited by unauthenticated attackers.

The critical flaw (CVSS: 7.5) arises from inadequate validation when following symbolic links using the aiohttp.web.static(follow_symlinks=True) option. Attackers can exploit this vulnerability to access unauthorized files outside the intended directory structure, potentially compromising sensitive server data.

Cyble Global Sensor Intelligence (CGSI) detected scanning activity targeting this vulnerability just a day later, on February 29th, and it has persisted since then. This suggests that threat actors (TAs) swiftly capitalized on the publicly available information to exploit vulnerable systems.

Aiohttp, a Python asynchronous HTTP framework, facilitates defining static file serving routes with a root directory. Its option follow_symlinks governs the behavior of symbolic link following. When enabled, it lacks adequate validation, enabling attackers to access arbitrary files on the server, even in the absence of symlinks.

This directory traversal vulnerability occurs because paths are constructed by concatenating the requested path with the root directory, allowing attackers to navigate beyond the intended area via meticulously crafted requests.

IP has been associated with LockBit ransomware operations attributed to the ShadowSyndicate group.

ShadowSyndicate, operational since July 2022, is a Ransomware-as-a-Service (RaaS) affiliate known for utilizing diverse ransomware variants.

Group-IB researchers have linked ShadowSyndicate to several incidents involving Quantum (September 2022), Nokoyawa (October 2022, November 2022, March 2023), and ALPHV (February 2023) ransomware, underscoring their extensive and frequent ransomware campaigns.

The IPs,,,, and have been flagged as indicators of compromise, indicating potential malicious activity related to the exploitation of CVE-2024-23334. It is advisable to conduct further investigation into systems associated with these IPs to mitigate any potential security risks.

By | 2024-05-08T21:54:08+05:30 May 3rd, 2024|BOTNET, Compromised, Exploitation, Security Advisory, Security Update, vulnerability|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!