ShadowSyndicate Hackers Exploit Aiohttp Vulnerability To Steal Sensitive Data
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A directory traversal vulnerability (CVE-2024-23334) was identified in aiohttp versions before 3.9.2.
This vulnerability allows remote attackers to access sensitive files on the server because aiohttp doesn’t validate file reading within the root directory when ‘follow_symlinks’ is enabled.
Aiohttp is a popular asynchronous HTTP framework used in over 43,000 internet-exposed instances, making them prime targets for attackers, as patching to Aiohttp 3.9.2 or later is crucial to mitigate this vulnerability.
.webp)
Exposure of AIOhttp instances
One of the most widely used Python libraries for asynchronous HTTP communication, it has a directory traversal vulnerability (CVE-2024-23334) that can be exploited by unauthenticated attackers.
📁🄳🄾🄲🅄🄼🄴🄽🅃
.webp)
Geographical Distribution of AIOhttp Exposures.
The critical flaw (CVSS: 7.5) stems from insufficient validation when following symbolic links with the `aiohttp.web.static(follow_symlinks=True)` option, where an attacker can craft requests to access unauthorized files outside the intended directory structure, potentially compromising sensitive server data.
A publicly available Proof of Concept (PoC) for the CVE-2024-23334 exploit, accompanied by a detailed YouTube video, was released on February 27th, which was followed by rapid exploitation attempts.
.webp)
Scanning attempts on Aio HTTP servers captured by CGSI
Cyble Global Sensor Intelligence (CGSI) detected scanning activity targeting this vulnerability just a day later, on February 29th, and the activity has been ongoing since, which indicates that threat actors (TAs) were quick to leverage the publicly available information to exploit vulnerable systems.
Aiohttp, a Python asynchronous HTTP framework, allows defining static file serving routes with a root directory.
An option, `follow_symlinks,` controls following symbolic links. When enabled, it lacks proper validation, allowing attackers to access arbitrary files on the server even without symlinks.
The directory traversal vulnerability arises because paths are constructed by joining the requested path with the root directory, enabling attackers to traverse outside the intended area using carefully crafted requests.
IP 81.19.136.251 has been identified as linked to LockBit ransomware activity and the ShadowSyndicate group.
Active since July 2022, ShadowSyndicate is a RaaS affiliate that employs various ransomware strains.
Group-IB researchers connected them to incidents involving Quantum (September 2022), Nokoyawa (October 2022, November 2022, March 2023), and ALPHV (February 2023) ransomware, demonstrating their wide-ranging and frequent ransomware attacks.
The following IPs, 81.19.136.251, 157.230.143.100, 170.64.174.95, 103.151.172.28, and 143.244.188.172, were identified as indicators of compromise, which were observed attempting to exploit a vulnerability, CVE-2024-23334 suggesting that systems associated with these IPs might be malicious and should be investigated further.
#Cyber_Security #Cyber_Security_News #Exploit #Vulnerability #cybersecurity #data_breach #vulnerability
Оригинальная версия на сайте:
ShadowSyndicate Hackers Exploit Aiohttp Vulnerability To Steal Sensitive Data
Author: Guru BaranA directory traversal vulnerability (CVE-2024-23334) was identified in aiohttp versions before 3.9.2.
This vulnerability allows remote attackers to access sensitive files on the server because aiohttp doesn’t validate file reading within the root directory when ‘follow_symlinks’ is enabled.
Aiohttp is a popular asynchronous HTTP framework used in over 43,000 internet-exposed instances, making them prime targets for attackers, as patching to Aiohttp 3.9.2 or later is crucial to mitigate this vulnerability.
Exposure of AIOhttp instances One of the most widely used Python libraries for asynchronous HTTP communication, it has a directory traversal vulnerability (CVE-2024-23334) that can be exploited by unauthenticated attackers.
📁🄳🄾🄲🅄🄼🄴🄽🅃
Geographical Distribution of AIOhttp Exposures. The critical flaw (CVSS: 7.5) stems from insufficient validation when following symbolic links with the `aiohttp.web.static(follow_symlinks=True)` option, where an attacker can craft requests to access unauthorized files outside the intended directory structure, potentially compromising sensitive server data.
A publicly available Proof of Concept (PoC) for the CVE-2024-23334 exploit, accompanied by a detailed YouTube video, was released on February 27th, which was followed by rapid exploitation attempts.
Scanning attempts on Aio HTTP servers captured by CGSI Cyble Global Sensor Intelligence (CGSI) detected scanning activity targeting this vulnerability just a day later, on February 29th, and the activity has been ongoing since, which indicates that threat actors (TAs) were quick to leverage the publicly available information to exploit vulnerable systems.
Aiohttp, a Python asynchronous HTTP framework, allows defining static file serving routes with a root directory.
An option, `follow_symlinks,` controls following symbolic links. When enabled, it lacks proper validation, allowing attackers to access arbitrary files on the server even without symlinks.
The directory traversal vulnerability arises because paths are constructed by joining the requested path with the root directory, enabling attackers to traverse outside the intended area using carefully crafted requests.
IP 81.19.136.251 has been identified as linked to LockBit ransomware activity and the ShadowSyndicate group.
Active since July 2022, ShadowSyndicate is a RaaS affiliate that employs various ransomware strains.
Group-IB researchers connected them to incidents involving Quantum (September 2022), Nokoyawa (October 2022, November 2022, March 2023), and ALPHV (February 2023) ransomware, demonstrating their wide-ranging and frequent ransomware attacks.
The following IPs, 81.19.136.251, 157.230.143.100, 170.64.174.95, 103.151.172.28, and 143.244.188.172, were identified as indicators of compromise, which were observed attempting to exploit a vulnerability, CVE-2024-23334 suggesting that systems associated with these IPs might be malicious and should be investigated further.
#Cyber_Security #Cyber_Security_News #Exploit #Vulnerability #cybersecurity #data_breach #vulnerability
Оригинальная версия на сайте:
