A cyber threat actor is using the React2Shell vulnerability as the basis for a widespread credential-harvesting campaign that has compromised everything from AI tool API keys to cloud platform passwords.
After identifying internet-facing React Server Components instances that are vulnerable to React2Shell, the hackers upload a malicious payload to the server — without the need for authentication — that lets them execute arbitrary code on the target server, researchers at Cisco’s Talos threat intelligence group said in a recent report.
The payload contains a “multi-phase credential harvesting tool that harvests credentials, SSH keys, cloud tokens, and environment secrets at scale,” Cisco researchers wrote.
The entire process after target identification is automated. “No further manual interaction is required to extract and exfiltrate credentials harvested from the system,” Cisco said.
The campaign has compromised at least 766 servers in multiple regions, according to the report. The activity is indiscriminate, Cisco said, with the hackers not focusing on specific countries or industries.
Cisco tracks the threat actor responsible for the campaign as UAT-10608, but it did not provide information about the group.
Gold mine of sensitive data
After the credential-harvesting software collects data, it transmits it to a hacker-controlled server running a web application, NEXUS Listener, that allows for user-friendly browsing of the stolen data. Cisco analyzed the data stored on a NEXUS Listener server without a password and described it as voluminous and highly sensitive.
The compromised data included API keys for OpenAI, Anthropic and other AI platforms; secret keys for the Stripe payment-processing platform; Amazon Web Services access keys; Microsoft Azure subscription credentials; and GitHub access tokens. Also present were temporary and potentially powerful login credentials for AWS instances, metadata about Docker instances and Kubernetes tokens, according to Cisco.
The hackers also collected SSH private keys. These could let them move laterally on servers that trust the keys, as well as access readouts of victim machines’ command prompt activity, which could give the hackers valuable information for follow-up reconnaissance, theft or sabotage.
