






















An article from
Dive Brief
The stolen information could help intruders plan follow-up attacks and breach more organizations, Cisco researchers said.
A cyber threat actor is using the React2Shell vulnerability as the basis for a widespread credential-harvesting campaign that has compromised everything from AI tool API keys to cloud platform passwords.
After identifying internet-facing React Server Components instances that are vulnerable to React2Shell, the hackers upload a malicious payload to the server — without the need for authentication — that lets them execute arbitrary code on the target server, researchers at Cisco’s Talos threat intelligence group said in a recent report.
The payload contains a “multi-phase credential harvesting tool that harvests credentials, SSH keys, cloud tokens, and environment secrets at scale,” Cisco researchers wrote.
The entire process after target identification is automated. “No further manual interaction is required to extract and exfiltrate credentials harvested from the system,” Cisco said.
The campaign has compromised at least 766 servers in multiple regions, according to the report. The activity is indiscriminate, Cisco said, with the hackers not focusing on specific countries or industries.
Cisco tracks the threat actor responsible for the campaign as UAT-10608, but it did not provide information about the group.
After the credential-harvesting software collects data, it transmits it to a hacker-controlled server running a web application, NEXUS Listener, that allows for user-friendly browsing of the stolen data. Cisco analyzed the data stored on a NEXUS Listener server without a password and described it as voluminous and highly sensitive.
The compromised data included API keys for OpenAI, Anthropic and other AI platforms; secret keys for the Stripe payment-processing platform; Amazon Web Services access keys; Microsoft Azure subscription credentials; and GitHub access tokens. Also present were temporary and potentially powerful login credentials for AWS instances, metadata about Docker instances and Kubernetes tokens, according to Cisco.
The hackers also collected SSH private keys. These could let them move laterally on servers that trust the keys, as well as access readouts of victim machines’ command prompt activity, which could give the hackers valuable information for follow-up reconnaissance, theft or sabotage.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。