Massive Credential Theft Campaign Targets Next.js Applications via React2Shell Vulnerability
A significant automated credential theft operation is currently underway, targeting web applications globally. Cybersecurity experts at Cisco Talos have identified a campaign orchestrated by a hacker group known as UAT-10608, which has successfully compromised over 700 servers. The attackers are exploiting a critical security flaw, dubbed React2Shell, to infiltrate systems and exfiltrate sensitive data.
Understanding the React2Shell Vulnerability
The React2Shell vulnerability, officially designated as CVE-2025-55182, is a severe remote code execution flaw found in React Server Components. This vulnerability allows attackers to send specially crafted web requests to susceptible servers. Due to inadequate validation of incoming data, the server inadvertently executes the attacker’s embedded commands. Notably, this exploit requires no authentication or user interaction, making it particularly dangerous.
Exploitation of Over 700 Next.js Hosts
The UAT-10608 group employs automated tools to scan the internet for vulnerable Next.js servers. Upon identifying a target, they deploy the React2Shell exploit to gain initial access. Subsequently, a malicious script is downloaded onto the compromised server. This script operates stealthily in the background, systematically searching the server’s files, cloud configurations, and system memory to harvest valuable credentials.
The Credential Harvesting Process
The credential theft operation unfolds in multiple stages:
1. Initial Access: The attackers exploit the React2Shell vulnerability to infiltrate the server.
2. Payload Deployment: A malicious script is downloaded and executed on the compromised server.
3. Credential Extraction: The script scans for and extracts sensitive information, including:
– Database Credentials: Access information for databases, allowing attackers to retrieve or manipulate stored data.
– SSH Private Keys: Secure shell keys that can grant unauthorized access to other servers.
– Cloud Service Tokens: Credentials for cloud platforms like AWS, enabling control over cloud resources.
– Payment Processing Keys: Live keys for services like Stripe, potentially allowing unauthorized financial transactions.
– Source Code Repository Tokens: Access tokens for platforms like GitHub, which could be used to alter codebases or inject malicious code.
4. Data Exfiltration: The harvested credentials are transmitted back to the attackers’ command-and-control (C2) server.
The NEXUS Listener Dashboard
To manage the vast amount of stolen information, the attackers utilize a custom web dashboard named NEXUS Listener. Cisco Talos researchers discovered that within a 24-hour period, this dashboard recorded 766 compromised hosts. The dashboard provides a centralized interface for the attackers to monitor and manage their illicit activities.
Impact and Consequences
The scale of this attack is alarming:
– Database Credentials: Over 90% of the compromised hosts had their database credentials stolen. This breach allows attackers to access, modify, or delete sensitive data stored within these databases.
– SSH Private Keys: Nearly 80% of the affected servers had their private SSH keys exfiltrated. With these keys, attackers can gain unauthorized access to other servers within the organization’s network, facilitating lateral movement and further exploitation.
– Cloud Service Tokens: The theft of AWS cloud credentials grants attackers the ability to manipulate cloud resources, potentially leading to data breaches, service disruptions, or financial losses.
– Payment Processing Keys: Compromised Stripe payment keys could be used to conduct unauthorized financial transactions, leading to direct monetary losses and reputational damage.
– Source Code Repository Tokens: Stolen GitHub access tokens may allow attackers to alter codebases, inject malicious code, or disrupt development processes, potentially leading to the distribution of compromised software.
Recommended Mitigation Measures
Organizations utilizing Next.js must take immediate action to safeguard their systems:
1. Patch Vulnerabilities: Promptly update web applications to address the React2Shell vulnerability. Applying the latest security patches is crucial to prevent exploitation.
2. Credential Rotation: Change all passwords, API keys, and security tokens to invalidate any credentials that may have been compromised.
3. Restrict Metadata Access: Limit access to cloud metadata services to prevent unauthorized retrieval of sensitive information.
4. Monitor for Anomalies: Implement continuous monitoring to detect unusual background processes or unauthorized access attempts.
5. Enhance Security Posture: Adopt a comprehensive security strategy that includes regular vulnerability assessments, employee training, and incident response planning.
Conclusion
The exploitation of the React2Shell vulnerability by the UAT-10608 group underscores the critical importance of proactive cybersecurity measures. Organizations must remain vigilant, promptly apply security patches, and implement robust monitoring to detect and respond to threats effectively. By taking these steps, companies can protect their sensitive data and maintain the integrity of their systems in the face of evolving cyber threats.
