Hackers are apparently attempting to exploit a recently patched Aiohttp vulnerability that could impact thousands of servers worldwide, according to threat intelligence firm Cyble.
Aiohttp is an open source asynchronous HTTP client/server framework for Asyncio and Python. There are dozens of libraries built on top of Aiohttp and it powers the websites of several major companies.
A Shodan search for ‘aiohttp’ shows more than 70,000 results worldwide, including many in the United States, China and Germany. Cyble’s own scanner has identified 43,000 internet-exposed instances, with significant percentages seen in the US and Europe.
Many of these systems could be impacted by CVE-2024-23334, a high-severity path traversal vulnerability patched in late January with the release of version 3.9.2. The flaw can be exploited by remote, unauthenticated attackers to access sensitive information from arbitrary files stored on the targeted server.
A proof-of-concept (PoC) exploit for CVE-2024-23334 was made public in late February and Cyble started seeing scanning activity shortly after.
The cybersecurity firm noticed exploitation attempts coming from multiple IP addresses, including one previously linked to a cybercrime group named ShadowSyndicate.
The threat actor has been active since at least July 2022, according to a recent report from Group-IB. ShadowSyndicate is believed to be a ransomware-as-a-service affiliate that has worked with several ransomware operations, including Royal, Cl0p, Play and Cactus.
There does not appear to be conclusive evidence that the vulnerability has been successfully exploited to hack into organizations’ systems, but the fact that threat actors have set their sights on the flaw is concerning.
“The prevalence of servers running on unpatched versions of the Aiohttp framework poses a significant risk in cybersecurity. While attacks haven’t been observed utilizing this specific vulnerability at present, the scanning attempts by the ShadowSyndicate group underscore the looming threat,” Cyble said.
Related: 45,000 Exposed Jenkins Instances Found Amid Reports of In-the-Wild Exploitation
Related: Possibly Exploited Fortinet Flaw Impacts Many Systems, but No Signs of Mass Attacks
Related: Apache ActiveMQ Vulnerability Exploited as Zero-Day
Related: CISA Warns of Roundcube Webmail Vulnerability Exploitation
