CCTR.6.FEB.26

Datadog Security Research has identified a campaign linked to recent React2Shell exploitation where threat actors deploy malicious NGINX configurations to hijack web traffic.

The malicious NGINX config transparently intercepts legitimate user traffic and proxies it through attacker-controlled backend servers, enabling credential harvesting, session hijacking, content manipulation and follow-on exploitation.

• Audit NGINX configurations for unauthorised proxy_pass, rewrite and upstream directives.

• Hunt for unexpected outbound connections from web servers to unknown systems.

https://securitylabs.datadoghq.com/articles/web-traffic-hijacking-nginx-configuration-malicious/

Noma Labs disclosed DockerDash, a critical flaw in Docker’s Ask Gordon AI (beta). A single malicious metadata label embedded in a Docker image can trigger exploitation across the full AI execution chain.

This is not a traditional container bug. The new AI driven attack surface where contextual trust across AI agents, gateways and tools can be weaponised to bypass security boundaries.

• Reassess AI assistants in CI/CD pipelines as part of your threat model and risk register.

https://noma.security/blog/dockerdash-two-attack-paths-one-ai-supply-chain-crisis/

Huntress observed attackers deploying an EDR killer that abuses a legitimate EnCase forensic driver to terminate security processes from kernel mode, a technique known as Bring Your Own Vulnerable Driver (BYOVD). Although the EnCase driver’s certificate expired in 2010 and was later revoked, Windows still permits the driver to load?

A revoked certificate in Windows is like, “Yeah nah, you’ll be right.”

• Enable HVCI / Memory Integrity to enforce Microsoft’s Vulnerable Driver Blocklist.

• Deploy Microsoft-recommended vulnerable driver block rules using WDAC.

https://www.huntress.com/blog/encase-byovd-edr-killer

Microsoft recommended driver block rules - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules

VulnCheck observed active exploitation of CVE-2025-11953 (Metro4Shell) in December 2025 targeting a publicly exposed Metro development server, with continued exploitation using the same payloads in January 2026.

The issue is due to Metro’s default behaviour of binding to external interfaces, allowing development infrastructure to be abused when exposed to the internet.

Development infrastructure becomes production infrastructure the moment it is reachable from the internet. Attackers do not distinguish between “dev” and “prod”.

• Incorporate development infrastructure into routine attack surface monitoring and threat hunting

https://www.vulncheck.com/blog/metro4shell_eitw