Ransomware Hackers May Be Exploiting Aiohttp Library Bug
The Python Library Flaw Allows Directory Traversal AttacksHackers who are possibly members of a criminal group affiliated with numerous ransomware-as-a-service operations are exploiting a directory traversal vulnerability in a Python library that allows unauthenticated remote attackers access to sensitive information from server files.
Researchers from cybersecurity firm Cyble said they began detecting activity exploiting the vulnerability within days after someone on Feb. 27 posted a proof of concept and a YouTube video demonstrating how to use it.
See Also: Forrester Report: The Total Economic Impact™ Of Dell PowerProtect Cyber Recovery
The vulnerability lies in aiohttp, a Python library for asynchronous HTTP clients and servers, built on asyncio library. It supports HTTP protocol and WebSockets, and it features middlewares, signals and pluggable routing for web servers.
The directory traversal vulnerability, tracked as CVE-2024-23334, rates 7.5 on the CVSS scale. It affects the aiohttp library due to a lack of proper validation when defining static routes for serving files.
The issue occurs specifically when the follow_symlinks
option is set to true
, enabling unauthorized access to files outside the specified root directory. This oversight grants threat actors the ability to exploit the framework, potentially compromising the integrity and confidentiality of server data.
Cyble identified over 43,000 internet-exposed aiohttp instances globally, and most of the servers were predominantly located in the United States, Germany, Spain and other Asian regions, including Russian and China.
Aiohttp released version 3.9.2 on Jan. 28 to address the bug.
Cyble said that researchers previously associated one of the IP addresses used by hackers to scan for vulnerable servers with the recently established ShadowSyndicate group, known for its involvement in ransomware operations (see: ShadowSyndicate: A New Player in the RaaS Landscape).
Cybersecurity firm Group-IB in September linked ShadowSyndicate infrastructure to attacks from Quantum ransomware, Nokoyawa and the Alphv ransomware hackers. Group-IB also identified, with a low degree of confidence, infrastructure overlaps linking ShadowSyndicate to the TrickBot, Ryuk, FIN7 and TrueBot malware operations.