52% of Serious Vulnerabilities We Find are Related to Windows 10
We analyzed 2,5 million vulnerabilities we discovered in our customer’s assets. This is what we found.
Digging into the data
The dataset we analyze here is representative of a subset of clients that subscribe to our vulnerability scanning services. Assets scanned include those reachable across the Internet, as well as those present on internal networks. The data includes findings for network Read More
Frontier Communications shuts down systems after cyberattack
American telecom provider Frontier Communications is restoring systems after a cybercrime group breached some of its IT systems in a recent cyberattack. […] Read More
Swiss visa appointments cancelled in UK due to ‘IT incident’
All appointments for Swiss Schengen tourist and transit visa applicants have been cancelled across the UK. TLSContact, the Swiss government’s chosen IT provider for facilitating visa applicants for citizens of third countries, has blamed an ‘IT incident’ at its London, Manchester, and Edinburgh centers for appointment cancellations. […] Read More
ShadowSyndicate Hackers Exploit Aiohttp Vulnerability To Steal Sensitive Data
[[{“value”:”
A directory traversal vulnerability (CVE-2024-23334) was identified in aiohttp versions before 3.9.2.
This vulnerability allows remote attackers to access sensitive files on the server because aiohttp doesn’t validate file reading within the root directory when ‘follow_symlinks’ is enabled.
Aiohttp is a popular asynchronous HTTP framework used in over 43,000 internet-exposed instances, making them prime targets for attackers, as patching to Aiohttp 3.9.2 or later is crucial to mitigate this vulnerability.
Exposure of AIOhttp instances
One of the most widely used Python libraries for asynchronous HTTP communication, it has a directory traversal vulnerability (CVE-2024-23334) that can be exploited by unauthenticated attackers.
Document
Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
Real-time Detection
Interactive Malware Analysis
Easy to Learn by New Security Team members
Get detailed reports with maximum data
Set Up Virtual Machine in Linux & all Windows OS Versions
Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
Geographical Distribution of AIOhttp Exposures.
The critical flaw (CVSS: 7.5) stems from insufficient validation when following symbolic links with the `aiohttp.web.static(follow_symlinks=True)` option, where an attacker can craft requests to access unauthorized files outside the intended directory structure, potentially compromising sensitive server data.
A publicly available Proof of Concept (PoC) for the CVE-2024-23334 exploit, accompanied by a detailed YouTube video, was released on February 27th, which was followed by rapid exploitation attempts.
Scanning attempts on Aio HTTP servers captured by CGSI
Cyble Global Sensor Intelligence (CGSI) detected scanning activity targeting this vulnerability just a day later, on February 29th, and the activity has been ongoing since, which indicates that threat actors (TAs) were quick to leverage the publicly available information to exploit vulnerable systems.
On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.
Aiohttp, a Python asynchronous HTTP framework, allows defining static file serving routes with a root directory.
An option, `follow_symlinks,` controls following symbolic links. When enabled, it lacks proper validation, allowing attackers to access arbitrary files on the server even without symlinks.
The directory traversal vulnerability arises because paths are constructed by joining the requested path with the root directory, enabling attackers to traverse outside the intended area using carefully crafted requests.
IP 81.19.136.251 has been identified as linked to LockBit ransomware activity and the ShadowSyndicate group.
Active since July 2022, ShadowSyndicate is a RaaS affiliate that employs various ransomware strains.
Group-IB researchers connected them to incidents involving Quantum (September 2022), Nokoyawa (October 2022, November 2022, March 2023), and ALPHV (February 2023) ransomware, demonstrating their wide-ranging and frequent ransomware attacks.
The following IPs, 81.19.136.251, 157.230.143.100, 170.64.174.95, 103.151.172.28, and 143.244.188.172, were identified as indicators of compromise, which were observed attempting to exploit a vulnerability, CVE-2024-23334 suggesting that systems associated with these IPs might be malicious and should be investigated further.
Is Your Network Under Attack? – Read CISO’s Guide to Avoiding the Next Breach – Download Free Guide