BleepingComputer reports that intrusions targeting servers impacted by the high-severity direct traversal aiohttp Python library vulnerability, tracked as CVE-2024-23334, have been increasingly deployed by suspected ransomware-as-as-service affiliate ShadowSyndicate since the end of February, or a month after fixes for the security issue was addressed.
Attempted scanning of aiohttp instances impacted by the flaw, namely versions 3.9.1 and earlier, has been conducted from five IP addresses, one of which was previously linked to ShadowSyndicate, which had been associated with the ALPHV/BlackCat, Cl0p, Royal, Play, Cactus, Nokoyawa, and Quantum ransomware operations, according to a Cyble report. While the number of vulnerable servers could not be determined, nearly 44,170 aiohttp instances were identified to be accessible via the internet, most of which are in the U.S., Germany, and Spain, researchers added. Numerous internet-exposed aiohttp servers were also discovered in the UK, Italy, France, Russia, and China. Despite the scans, the compromise of aiohttp servers remains uncertain.