The ShadowSyndicate ransomware gang appears to be targeting a recently patched vulnerability affecting the Aiohttp asynchronous HTTP client/server framework.
Designed for asyncio and Python, the framework allows developers to create asynchronous applications and packages easier.
Said vulnerability (CVE-2024-23334) is a path traversal issue stemming from input validation error when processing directory traversal sequences in aiohttp.web.static(follow_symlinks=True). A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system. The flaw was patched in January of this year.
According to Cyble researchers, there are over 43,000 Internet-exposed aiohttp instances worldwide, with the majority located in the US, Germany and Spain.
After two days after the proof-of-concept (PoC) for CVE-2024-23334 was released on February 27, the researchers started seeing exploitation attempts targeting this vulnerability. Cyble says that one of the attacking IP addressess observed has been previously linked to the LockBit ransomware operation, “and also indicates an association with the ShadowSyndicate group.”
Active since June 2022, ShadowSyndicate operates as a Ransomware-as-a-service (RaaS) and uses several ransomware families, including Quantum, Nokoyawa, ALPHV/BlackCat. Researchers also linked the group to Royal, Cl0p, Cactus, and Play ransomware activity. Additionally, ShadowSyndicate infrastructure appears to be connected to Cl0p/Truebot.
The gang employs an array of tools in their attacks, including the Sliver and Meterpreter penetration testing tools, the IcedID banking trojan, and the Matanbuchus malware loader.
While Cyble researchers haven’t observed attacks leveraging CVE-2024-23334 as of yet, “the scanning attempts by the Shadowsyndicate group underscore the looming threat,” meaning that organizations should update to the recommended Aiohttp version 3.9 and implement necessary security measures as soon as possible.
