China Cyber Snoops Pounce on React2Shell and BRICKSTORM for Espionage Bonanza

This is your Digital Dragon Watch: Weekly China Cyber Alert podcast.Listeners, Ting here with your Digital Dragon Watch, and we’re jumping straight into it.The big China cyber story this week is Amazon’s React2Shell fire drill. Amazon’s CISO C.J. Moses warned that multiple China state‑nexus groups, including Earth Lamia and Jackpot Panda, began exploiting the React2Shell vulnerability, CVE‑2025‑55182, just hours after it went public. Amazon’s MadPot honeypots saw attackers hammering React Server Components in React 19 and Next.js 15 and 16, not with dumb scanners, but with live debugging sessions, tweaking payloads and running Linux commands until something stuck. Amazon says most of the suspicious infrastructure traces back to Chinese networks and stresses that their WAF and active defenses help, but they are no substitute for patching.According to TechRadar Pro and GovInfoSecurity, the same React2Shell flaw is being used by China‑linked actors against finance, logistics, retail, IT, universities, and government networks worldwide, with Shadowserver initially counting over 77,000 exposed servers and tens of thousands still hanging out there. The goal isn’t smash‑and‑grab ransomware; this is persistence and espionage, wedging into web stacks that run core business apps and then living off the land.In parallel, CISA, NSA, and the Canadian Cyber Centre dropped a joint advisory on the BRICKSTORM backdoor, used by PRC‑sponsored actors to burrow into VMware vSphere control planes. Reporting from ITPro and Security Magazine describes BRICKSTORM as a Go‑based ELF backdoor abusing DNS‑over‑HTTPS, mimicking web servers, and even turning into a SOCKS proxy. One victim saw Chinese operators ride a compromised vCenter server into domain controllers and an ADFS box, exfiltrating cryptographic keys and maintaining access for well over a year.CrowdStrike’s research on the Warp Panda espionage campaign shows how this plays out at scale: exploiting internet‑facing edge devices, pivoting into vCenter with valid creds or N‑day bugs, spinning up rogue VMs, timestomping logs, and quietly tunneling traffic through ESXi hosts. Targets span North American legal, tech, manufacturing, and even a government entity in Asia‑Pacific.On the U.S. response side, you see a clear pattern: fast public advisories, plus quiet hardening. CISA and NSA are pushing IOCs and detection rules for BRICKSTORM, urging critical infrastructure, government, and IT providers to hunt for odd VMware behavior, rogue VMs, and anomalous DNS‑over‑HTTPS flows. Amazon is publicly calling out Chinese state‑linked activity on React2Shell and has pushed automated WAF rules and perimeter blocks while telling organizations to patch now, not after the weekend.Expert recommendations are converging: slam the door on React2Shell by upgrading React and Next.js; lock down edge devices and admin consoles behind VPNs and phishing‑resistant MFA; monitor vCenter and ESXi for strange VMs, new SSH keys, and unusual lateral movement; and treat long‑term persistence as the default, not the exception. In other words, if your web front end or virtualization layer touches anything important, assume the dragon has already rattled the handle.I’m Ting, thanks for tuning in to Digital Dragon Watch: Weekly China Cyber Alert. Don’t forget to subscribe so you don’t miss the next breach autopsy. This has been a quiet please production, for more check out quiet please dot ai.For more http://www.quietplease.aiGet the best deals https://amzn.to/3ODvOtaThis content was created in partnership and with the help of Artificial Intelligence AI

There are no comments yet.

Please log in to write the first comment.