Threat actors exploiting the React2Shell vulnerability in components of React servers are using their access to compromise web domains and divert web traffic for malicious purposes.
That’s the conclusion of researchers at Datadog Security Labs, who said in a blog Wednesday that the primary targets are sites running the NGINX open-source web server managed with Boato Panel. These include Asian organizations with top level domains ending in .in, .id, .pe, .bd, .edu, .gov, and .th, as well as Chinese hosting infrastructure.
The danger, said blog author Ryan Simon, a senior security researcher at Datadog Security Labs, is that a hacker can use a compromised site to do a number of nasty things such as fingerprint an organization’s web traffic, insert malware onto users’ computers, or divert traffic to a threat actor-controlled landing page that tries to trick users into giving up login credentials.
