Hackers have launched a massive automated credential theft campaign using a critical React2Shell vulnerability in Next.js applications. Hundreds of servers around the world have already been compromised, and the attacks are ongoing.
In just a few months’ time, attackers were able to break into over 700 servers across multiple countries and cloud-based environments. This is a very simple yet very damaging objective — to get as much information as possible out of their targets.
This includes everything from login credentials for databases and AWS accounts to SSH keys, API keys, and environment variables. To accomplish this, hackers use an application development framework (called NEXUS Listener) combined with automated scripts that “scrape” sensitive information off systems. As such, researchers have identified this activity as being part of the UAT-10608 threat group by Cisco Talos. Further, researchers obtained access to an open version of NEXUS Listener allowing them to see exactly how it worked and what type of information was being collected.
Among the things that attackers extract:
environment variables and secrets (API keys, database access, GitHub/GitLab tokens)
private SSH keys
cloud credentials (AWS, GCP, Azure, IAM)
Kubernetes tokens
Docker and container data
command history
process and runtime information
All this data is transmitted in parts via HTTP requests to the control server (C2), where the NEXUS Listener runs. There, the attacker receives a convenient panel with search, filters, and even statistics on the collected data.
As noted by Cisco Talos, the panel itself shows the number of compromised hosts and the amount of stolen data for each type.
“The automated system was able to compromise 766 hosts in just 24 hours,” the researchers emphasize.
The consequences of such an attack can be very serious. Stolen access allows you to gain control over cloud accounts, databases, payment systems, and other services. SSH keys are especially dangerous – they make it easy to move further through the infrastructure.
In addition to the technical risks, there are also legal ones. If personal information is among the stolen data, the company could get into trouble with regulators for violating privacy rules.
To reduce the risks, the researchers advise to act as quickly as possible:
install all security updates that close React2Shell
check servers for possible leaks
change all credentials at the slightest suspicion
enable AWS IMDSv2
replace reused SSH keys
enable secret scanning
use WAF or RASP for Next.js
restrict access rights for containers and cloud roles
