Digital Dragon Drops Bombs: React2Shell Explodes, Brickstorm Sneaks In, and AI Becomes the New Attack Surface

This is your Digital Dragon Watch: Weekly China Cyber Alert podcast.Hey listeners, Ting here with your Digital Dragon Watch, and this week the dragon went full cloud-native.Let’s start with the big one: React2Shell, that shiny new CVE‑2025‑55182 that just detonated across the JavaScript ecosystem. According to Breached Company and Tenable Research, it’s a CVSS 10.0 remote code execution bug in React Server Components that lets an unauthenticated attacker pop your server with a single crafted HTTP request. Within hours of public disclosure on December 3, Amazon Web Services’ threat intel teams and Wiz Research saw China state‑nexus crews like Earth Lamia, Jackpot Panda, and UNC5174, which is linked to China’s Ministry of State Security, aggressively exploiting it in the wild. Breached Company reports more than 77,000 internet‑exposed IPs vulnerable, roughly 23,700 in the United States alone, with over 30 organizations already compromised, AWS credentials stolen, and payloads like Cobalt Strike, Sliver, Snowlight, and Vshell landing for long‑term access and lateral movement.Targets? It’s a buffet: financial services, logistics, retail, universities, cloud‑first SaaS, and government workloads running React on top of AWS and other hyperscalers. GreyNoise has logged well over a hundred distinct IPs hammering the bug with high‑throughput scanning, while AWS honeypots show attackers doing hands‑on keyboard activity, dumping /etc/passwd, probing AWS config files, and debugging their exploit chains live.The US government response has been unusually fast. CISA slammed React2Shell into its Known Exploited Vulnerabilities catalog by December 5 and ordered federal agencies to patch on an emergency timeline. Cloudflare tried to help by rolling out emergency WAF rules, but as Breached Company notes, that move accidentally knocked out roughly 28 percent of Cloudflare’s HTTP traffic, a reminder that when you centralize the internet, even your bandaids can cause bleeding.At the same time, Washington and Ottawa quietly dropped another China‑themed bombshell. In a joint advisory reported by Reuters and the Times of India, CISA, the NSA, and the Canadian Centre for Cyber Security fingered a China‑linked campaign using custom “Brickstorm” malware to burrow into government and IT service networks, especially those running Broadcom’s VMware vSphere. Once inside, operators stole login credentials and sensitive data and maintained persistence from at least April 2024 through early September 2025 in one victim environment. Acting CISA director Madhu Gottumukkala warned that these intrusions are about long‑term access, disruption, and potential sabotage, while VMware’s owner Broadcom urged customers to patch and harden operational security. Beijing’s embassy in Washington, via spokesperson Liu Pengyu, denied everything and complained about what it called groundless accusations and a lack of evidence.So what do the experts say you should do? On React2Shell, move fast: update all affected React Server Components from npm, audit build pipelines, rotate any exposed cloud credentials, and hunt for Cobalt Strike, Sliver, Snowlight, and Vshell beacons in your logs. On Brickstorm, apply the latest VMware vSphere patches, lock down management interfaces, enforce multi‑factor authentication everywhere, and baseline your authentication patterns to catch abnormal lateral movement. CISA’s broader guidance, echoed by Homeland Security Today and BankInfoSecurity, is to treat AI and large language models in operational tech as new attack surfaces, not magic shields.I’m Ting, and that’s your Digital Dragon Watch for this week. Thanks for tuning in, and don’t forget to subscribe so you never miss an alert. This has been a quiet please production, for more check out quiet please dot ai.For more http://www.quietplease.aiGet the best deals https://amzn.to/3ODvOtaThis content was created in partnership and with the help of Artificial Intelligence AI

There are no comments yet.

Please log in to write the first comment.