EPISODE · Dec 7, 2025 · 4 MIN
Digital Dragon Drops Bombs: React2Shell Explodes, Brickstorm Sneaks In, and AI Becomes the New Attack Surface
from Digital Dragon Watch: Weekly China Cyber Alert · host Inception Point AI
This is your Digital Dragon Watch: Weekly China Cyber Alert podcast. Hey listeners, Ting here with your Digital Dragon Watch, and this week the dragon went full cloud-native. Let’s start with the big one: React2Shell, that shiny new CVE‑2025‑55182 that just detonated across the JavaScript ecosystem. According to Breached Company and Tenable Research, it’s a CVSS 10.0 remote code execution bug in React Server Components that lets an unauthenticated attacker pop your server with a single crafted HTTP request. Within hours of public disclosure on December 3, Amazon Web Services’ threat intel teams and Wiz Research saw China state‑nexus crews like Earth Lamia, Jackpot Panda, and UNC5174, which is linked to China’s Ministry of State Security, aggressively exploiting it in the wild. Breached Company reports more than 77,000 internet‑exposed IPs vulnerable, roughly 23,700 in the United States alone, with over 30 organizations already compromised, AWS credentials stolen, and payloads like Cobalt Strike, Sliver, Snowlight, and Vshell landing for long‑term access and lateral movement. Targets? It’s a buffet: financial services, logistics, retail, universities, cloud‑first SaaS, and government workloads running React on top of AWS and other hyperscalers. GreyNoise has logged well over a hundred distinct IPs hammering the bug with high‑throughput scanning, while AWS honeypots show attackers doing hands‑on keyboard activity, dumping /etc/passwd, probing AWS config files, and debugging their exploit chains live. The US government response has been unusually fast. CISA slammed React2Shell into its Known Exploited Vulnerabilities catalog by December 5 and ordered federal agencies to patch on an emergency timeline. Cloudflare tried to help by rolling out emergency WAF rules, but as Breached Company notes, that move accidentally knocked out roughly 28 percent of Cloudflare’s HTTP traffic, a reminder that when you centralize the internet, even your bandaids can cause bleeding. At the same time, Washington and Ottawa quietly dropped another China‑themed bombshell. In a joint advisory reported by Reuters and the Times of India, CISA, the NSA, and the Canadian Centre for Cyber Security fingered a China‑linked campaign using custom “Brickstorm” malware to burrow into government and IT service networks, especially those running Broadcom’s VMware vSphere. Once inside, operators stole login credentials and sensitive data and maintained persistence from at least April 2024 through early September 2025 in one victim environment. Acting CISA director Madhu Gottumukkala warned that these intrusions are about long‑term access, disruption, and potential sabotage, while VMware’s owner Broadcom urged customers to patch and harden operational security. Beijing’s embassy in Washington, via spokesperson Liu Pengyu, denied everything and complained about what it called groundless accusations and a lack of evidence. So what do the experts say you should do? On React2Shell, move This content was created in partnership and with the help of Artificial Intelligence AI.
What this episode covers
This is your Digital Dragon Watch: Weekly China Cyber Alert podcast. Hey listeners, Ting here with your Digital Dragon Watch, and this week the dragon went full cloud-native. Let’s start with the big one: React2Shell, that shiny new CVE‑2025‑55182 that just detonated across the JavaScript ecosystem. According to Breached Company and Tenable Research, it’s a CVSS 10.0 remote code execution bug in React Server Components that lets an unauthenticated attacker pop your server with a single crafted HTTP request. Within hours of public disclosure on December 3, Amazon Web Services’ threat intel teams and Wiz Research saw China state‑nexus crews like Earth Lamia, Jackpot Panda, and UNC5174, which is linked to China’s Ministry of State Security, aggressively exploiting it in the wild. Breached Company reports more than 77,000 internet‑exposed IPs vulnerable, roughly 23,700 in the United States alone, with over 30 organizations already compromised, AWS credentials stolen, and payloads like Cobalt Strike, Sliver, Snowlight, and Vshell landing for long‑term access and lateral movement. Targets? It’s a buffet: financial services, logistics, retail, universities, cloud‑first SaaS, and government workloads running React on top of AWS and other hyperscalers. GreyNoise has logged well over a hundred distinct IPs hammering the bug with high‑throughput scanning, while AWS honeypots show attackers doing hands‑on keyboard activity, dumping /etc/passwd, probing AWS config files, and debugging their exploit chains live. The US government response has been unusually fast. CISA slammed React2Shell into its Known Exploited Vulnerabilities catalog by December 5 and ordered federal agencies to patch on an emergency timeline. Cloudflare tried to help by rolling out emergency WAF rules, but as Breached Company notes, that move accidentally knocked out roughly 28 percent of Cloudflare’s HTTP traffic, a reminder that when you centralize the internet, even your bandaids can cause bleeding. At the same time, Washington and Ottawa quietly dropped another China‑themed bombshell. In a joint advisory reported by Reuters and the Times of India, CISA, the NSA, and the Canadian Centre for Cyber Security fingered a China‑linked campaign using custom “Brickstorm” malware to burrow into government and IT service networks, especially those running Broadcom’s VMware vSphere. Once inside, operators stole login credentials and sensitive data and maintained persistence from at least April 2024 through early September 2025 in one victim environment. Acting CISA director Madhu Gottumukkala warned that these intrusions are about long‑term access, disruption, and potential sabotage, while VMware’s owner Broadcom urged customers to patch and harden operational security. Beijing’s embassy in Washington, via spokesperson Liu Pengyu, denied everything and complained about what it called groundless accusations and a lack of evidence. So what do the experts say you should do? On React2Shell, move This content was created in partnership and with the help of Artificial Intelligence AI.
NOW PLAYING
Digital Dragon Drops Bombs: React2Shell Explodes, Brickstorm Sneaks In, and AI Becomes the New Attack Surface
No transcript for this episode yet
Similar Episodes
No similar episodes found.
Similar Podcasts
No similar podcasts found.