What to look for: In an attack tracked by S-RM, immediately after the threat actor gained access to a targeted company’s network, they ran a hidden PowerShell command, establishing command and control (C2) by downloading a Cobalt Strike PowerShell stager, a tactic regularly used by red teamers, and installing a beacon to allow them to communicate with their external servers. They then disabled real-time protection in Windows Defender Antivirus.The ransomware binary was dropped and executed “within less than one minute of initial access,” the S-RM researchers report. The attackers modified encrypted files, left recovery notes, created text files that included the target’s public IP address, and cleared event logs and backup snapshots.The researchers noted that they did not observe lateral movement to other systems or attempts to steal data. The compromised server was taken down the day after it was discovered.S-RM advises enterprises using RSC to verify that it is a fully-patched version; however, React has warned that even initially released patches (versions 19.0.2, 19.1.3, and 19.2.2) are vulnerable.Beyond patching, organizations should perform forensic reviews to check for:
Unusual outbound connections that could indicate C2 was executed;Disabling of antivirus and endpoint protection, or log clearing or tampering;Unusual spikes in resource use, which could indicate crypto miners;Windows event logs or endpoint detection and response (EDR) telemetry indicating attackers executed files in memory from binaries related to Node or React.Indicators of compromise (IOC) detailed in the advisory, both host-based and network-based.
Front end is no longer low-risk: This vulnerability reveals a fundamental gap in the development environment that has largely been overlooked, experts say.”There is a dangerous comforting lie we tell ourselves in web development: ‘The frontend is safe.’ It isn’t,” notes web engineer Louis Phang. He called this a “logic error in the way modern servers talk to clients,” that turns a standard web request into a weapon. It is the result of developers focusing on reliability, scalability, and maintainability, rather than security.For years, all that happened when a front end developer made a mistake was that a button that looked wrong, a layout was broken, or, in a worst-case scenario, Cross-Site Scripting (XSS), which allows attackers to inject malicious scripts into web pages, was possible, Phang said. With React rendering on the server, front end code has privileged access, and vulnerabilities serve as a backdoor into databases, keys, and data.”React2Shell signifies the end of the front end developer as a low-risk role,” Phang contended.Beauceron’s Shipley agreed, noting that the need for server-side heavy lifting changed the risk, but the tech stack didn’t respond accordingly.”First, we had confusion about whether it was severe or not, then some were downplaying how much exploitation would happen, and now we’re in a feeding frenzy,” he said.It’s concerning how long it’s taking to rouse the technology environment to deal with this threat; it could ultimately be a side effect of cuts to security teams and budgets and developer burnout, he noted.”This is a concerning trend heading into 2026, which will be even more intense for zero days thanks to AI,” Shipley predicted.This article originally appeared on InfoWorld.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4109221/react2shell-is-the-log4j-moment-for-front-end-development-2.html
