Incident Score: Analysis & Impact (INFREA1769533068)
The details regarding individual company incidents & reports gives you full view from every side.
Rankiteo Score Impact Analysis
Key Highlights From The Incident Analysis
- Timeline of InfraShield's Cyber Attack and lateral movement inside company's environment.
- Overview of affected data sets, including SSNs and PHI, and why they materially increase incident severity.
- How Rankiteo’s incident engine converts technical details into a normalized incident score.
- How this cyber incident impacts InfraShield Rankiteo cyber scoring and cyber rating.
- Rankiteo’s MITRE ATT&CK correlation analysis for this incident, with associated confidence level.
Full Incident Analysis Transcript
In this Rankiteo incident briefing, we review the InfraShield breach identified under incident ID INFREA1769533068.
The analysis begins with a detailed overview of InfraShield's information like the linkedin page: https://www.linkedin.com/company/infrashield-com, the number of followers: 223, the industry type: Computer and Network Security and the number of employees: 21 employees
After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 750 and after the incident was 733 with a difference of -17 which is could be a good indicator of the severity and impact of the incident.
In the next step of the video, we will analyze in more details the incident and the impact it had on InfraShield and their customers.
A newly reported cybersecurity incident, "React2Shell Exploits Target Insurance, E-Commerce, and IT Sectors", has drawn attention.
Threat actors are actively exploiting CVE-2025-55182 (React2Shell), a critical vulnerability in React Server Components, to compromise organizations in the insurance, e-commerce, and IT sectors.
The disruption is felt across the environment, affecting Servers running vulnerable React Server Components (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack), and exposing Potential data exfiltration via DNS tunneling.
In response, and began remediation that includes Patching vulnerable React Server Components to versions 19.0.1, 19.1.2, or 19.2.1; scanning for post-exploitation activity.
The case underscores how teams are taking away lessons such as Modern cyber threats adapt rapidly to newly disclosed vulnerabilities, requiring immediate patching and post-exploitation scanning. Restricting experimental React Server Components in production is advised, and recommending next steps like Patch vulnerable React Server Components to versions 19.0.1, 19.1.2, or 19.2.1, Rebuild projects after updates and verify lock files to remove vulnerable packages and Scan for post-exploitation activity (e.g., Kaiji botnet, XMRig miners, CrossC2 implants).
Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.
The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.
MITRE ATT&CK® Correlation Analysis
Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with high confidence (90%), supported by evidence indicating attackers exploit React2Shell to execute commands in compromised containers and Exploitation of Remote Services (T1210) with moderate to high confidence (80%), supported by evidence indicating insecure deserialization in the Flight protocol, enabling unauthorized code execution. Under the Execution tactic, the analysis identified Command and Scripting Interpreter: Unix Shell (T1059.004) with high confidence (90%), supported by evidence indicating bash scripts (e.g., wocaosinm.sh, setup2.sh) download architecture-specific payloads and Exploitation for Client Execution (T1203) with moderate to high confidence (80%), supported by evidence indicating react2Shell vulnerability enables attackers to execute unauthorized code. Under the Persistence tactic, the analysis identified Create or Modify System Process: Systemd Service (T1543.002) with high confidence (90%), supported by evidence indicating kaiji botnet establishes persistence via systemd services, Scheduled Task/Job: Cron (T1053.003) with high confidence (90%), supported by evidence indicating kaiji botnet uses crontab tasks for persistence, Event Triggered Execution: Unix Shell Configuration Modification (T1546.004) with moderate to high confidence (80%), supported by evidence indicating etherRAT employs .bashrc and .profile modifications for persistence, and Boot or Logon Autostart Execution: XDG Autostart Entries (T1547.013) with moderate to high confidence (80%), supported by evidence indicating etherRAT uses XDG Autostart for persistence. Under the Privilege Escalation tactic, the analysis identified Exploitation for Privilege Escalation (T1068) with moderate to high confidence (70%), supported by evidence indicating react2Shell vulnerability enables unauthorized code execution on servers. Under the Defense Evasion tactic, the analysis identified Masquerading: Masquerade Task or Service (T1036.004) with moderate to high confidence (80%), supported by evidence indicating crossC2 payloads disguise as Rsyslo AV Agent Service via systemd, Obfuscated Files or Information (T1027) with moderate to high confidence (70%), supported by evidence indicating crossC2 implants use AES-128-CBC encryption, and Hide Artifacts: Hidden Files and Directories (T1564.001) with moderate confidence (60%), supported by evidence indicating xMRig miner uses CPU throttling to evade detection. Under the Credential Access tactic, the analysis identified Unsecured Credentials: Private Keys (T1552.004) with moderate confidence (50%), supported by evidence indicating potential access to system utilities and credentials via compromised servers. Under the Discovery tactic, the analysis identified File and Directory Discovery (T1083) with moderate confidence (60%), supported by evidence indicating attackers likely enumerate files for exfiltration or further exploitation. Under the Lateral Movement tactic, the analysis identified Exploitation of Remote Services (T1210) with moderate to high confidence (70%), supported by evidence indicating react2Shell enables unauthorized code execution on vulnerable servers. Under the Collection tactic, the analysis identified Data from Local System (T1005) with moderate to high confidence (70%), supported by evidence indicating potential data exfiltration via DNS tunneling (nslookup). Under the Command and Control tactic, the analysis identified Application Layer Protocol: DNS (T1071.004) with high confidence (90%), supported by evidence indicating attackers use DNS tunneling (nslookup) to encode and transmit stolen data, Ingress Tool Transfer (T1105) with moderate to high confidence (80%), supported by evidence indicating bash scripts download architecture-specific payloads (e.g., Kaiji botnet, XMRig), and Data Obfuscation: Protocol Impersonation (T1001.003) with moderate to high confidence (70%), supported by evidence indicating dNS tunneling used to exfiltrate data via subdomain queries. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: DNS (T1048.003) with high confidence (90%), supported by evidence indicating data exfiltration via DNS tunneling (nslookup). Under the Impact tactic, the analysis identified Resource Hijacking (T1496) with high confidence (90%), supported by evidence indicating xMRig cryptocurrency miner (version 6.24.0) deployed for financial gain, Network Denial of Service (T1498) with high confidence (90%), supported by evidence indicating kaiji botnet conducts DDoS attacks, and Endpoint Denial of Service: Application or System Exploitation (T1499.004) with moderate to high confidence (70%), supported by evidence indicating system resource consumption due to cryptocurrency mining. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.
Sources & References
- InfraShield Rankiteo Cyber Incident Details: https://www.rankiteo.com/company/infrashield-com/incident/INFREA1769533068
- InfraShield CyberSecurity Rating page: https://www.rankiteo.com/company/infrashield-com
- InfraShield Rankiteo Cyber Incident Blog Article: https://blog.rankiteo.com/infrea1769533068-unnamed-it-sector-organizations-react-server-components-cyber-attack-june-2025/
- InfraShield CyberSecurity Score History: https://www.rankiteo.com/company/infrashield-com/history
- InfraShield CyberSecurity Incident Source: https://cybersecuritynews.com/attackers-exploiting-react2shell-vulnerability/
- Rankiteo A.I CyberSecurity Rating methodology: https://www.rankiteo.com/Images/rankiteo_algo.pdf
- Rankiteo TPRM Scoring methodology: https://static.rankiteo.com/model/rankiteo_tprm_methodology.pdf