Hackers Exploit Vulnerability in Automated Credential Theft Campaigns
Attackers Exploit React2Shell to Steal Credentials on Scale
In a significant cyberattack, hackers have developed a sophisticated scheme to automatically harvest sensitive credentials from vulnerable web applications using the React2Shell vulnerability (CVE-2025-55182).
The Malicious Campaign
- The malicious campaign has already compromised at least 766 hosts across multiple cloud providers and geographical locations.
- The unauthorized collection of database and AWS credentials, SSH private keys, API keys, cloud tokens, and environment secrets.
The Attack Process
The threat actors employ a custom-built framework called NEXUS Listener, which enables the automated extraction and exfiltration of sensitive data from compromised systems.
The attackers deploy a script that conducts a multi-stage credential-harvesting process. This process involves:• Collecting environment variables and secrets• Extracting SSH keys• Gathering cloud credentials• Obtaining Kubernetes tokens• Retrieving docker/container information
The Impact of the Compromise
The stolen credentials pose significant risks, enabling attackers to:
Furthermore, the stolen SSH keys facilitate lateral movement, while the compromised personally identifiable information exposes victims to potential regulatory consequences due to privacy law violations.
Cisco Talos Recommendations
Cisco Talos advises system administrators to:
About Author
English