- Unusual outbound connections that could indicate C2 was executed;
- Disabling of antivirus and endpoint protection, or log clearing or tampering;
- Unusual spikes in resource use, which could indicate crypto miners;
- Windows event logs or endpoint detection and response (EDR) telemetry indicating attackers executed files in memory from binaries related to Node or React.
- Indicators of compromise (IOC) detailed in the advisory, both host-based and network-based.
Front end is no longer low-risk
This vulnerability reveals a fundamental gap in the development environment that has largely been overlooked, experts say.
“There is a dangerous comforting lie we tell ourselves in web development: ‘The frontend is safe.’ It isn’t,” notes web engineer Louis Phang. He called this a “logic error in the way modern servers talk to clients,” that turns a standard web request into a weapon. It is the result of developers focusing on reliability, scalability, and maintainability, rather than security.
For years, all that happened when a front end developer made a mistake was that a button that looked wrong, a layout was broken, or, in a worst-case scenario, Cross-Site Scripting (XSS), which allows attackers to inject malicious scripts into web pages, was possible, Phang said. With React rendering on the server, front end code has privileged access, and vulnerabilities serve as a backdoor into databases, keys, and data.
