Hackers are apparently attempting to exploit a recently patched Aiohttp vulnerability that could impact thousands of servers worldwide, according to threat intelligence firm Cyble.
Aiohttp is an open source asynchronous HTTP client/server framework for Asyncio and Python.
There are dozens of libraries built on top of Aiohttp and it powers the websites of several major companies.
A Shodan search for 'aiohttp' shows more than 70,000 results worldwide, including many in the United States, China and Germany.
Cyble's own scanner has identified 43,000 internet-exposed instances, with significant percentages seen in the US and Europe.
Many of these systems could be impacted by CVE-2024-23334, a high-severity path traversal vulnerability patched in late January with the release of version 3.9.2.
The flaw can be exploited by remote, unauthenticated attackers to access sensitive information from arbitrary files stored on the targeted server.
A proof-of-concept exploit for CVE-2024-23334 was made public in late February and Cyble started seeing scanning activity shortly after.
The cybersecurity firm noticed exploitation attempts coming from multiple IP addresses, including one previously linked to a cybercrime group named ShadowSyndicate.
The threat actor has been active since at least July 2022, according to a recent report from Group-IB. ShadowSyndicate is believed to be a ransomware-as-a-service affiliate that has worked with several ransomware operations, including Royal, Cl0p, Play and Cactus.
There does not appear to be conclusive evidence that the vulnerability has been successfully exploited to hack into organizations' systems, but the fact that threat actors have set their sights on the flaw is concerning.
This Cyber News was published on www.securityweek.com. Publication date: Tue, 19 Mar 2024 10:43:06 +0000