CyberSecurity news

FlagThis - #cloudflare

Bill Toulas@BleepingComputer //
Cloudflare has released its 2025 Q1 DDoS Threat Report, revealing a staggering increase in Distributed Denial of Service (DDoS) attacks. The report highlights that Cloudflare mitigated 20.5 million DDoS attacks in the first quarter of 2025 alone. This represents a massive 358% year-over-year and 198% quarter-over-quarter increase, nearly matching the total number of attacks recorded throughout all of 2024. The escalating threat landscape underscores the critical need for robust and adaptive cybersecurity measures to protect online infrastructure from malicious actors.

One of the most significant incidents during this period was the mitigation of a record-breaking DDoS attack peaking at 4.8 billion packets per second (Bpps). This hyper-volumetric attack, part of a late-April campaign, presented a substantial technical challenge due to its immense scale and short duration, typically lasting between 35 and 45 seconds. Cloudflare also neutralized a 6.5 terabit-per-second (Tbps) UDP flood. Overall, the company recorded over 700 hyper-volumetric DDoS attacks, each exceeding either 1 Tbps or 1 Bpps, demonstrating the growing sophistication and intensity of these threats.

Network-layer DDoS attacks fueled much of this increase, totaling 16.8 million incidents between January and March 2025. A notable 6.6 million of these attacks targeted Cloudflare's own infrastructure. Attackers are increasingly deploying sophisticated multi-vector campaigns, leveraging tactics such as SYN floods, Mirai-botnet assaults, and SSDP amplification to overwhelm targets from multiple angles. Cloudflare identified two emerging threats: Connectionless Lightweight Directory Access Protocol (CLDAP) attacks, which saw a 3,488% quarter-over-quarter increase, and Encapsulating Security Payload (ESP) attacks, growing by 2,301% in the same period.

Recommended read:
References :
  • cyberpress.org: Cyberpress article on Cloudflare's 2025 DDoS Mitigation
  • The DefendOps Diaries: TheDefendOpsDiaries on Cloudflare's 2025 DDoS Mitigation Achievements
  • BleepingComputer: Internet services giant Cloudflare says it mitigated a record number of DDoS attacks in 2024, recording a massive 358% year-over-year jump and a 198% quarter-over-quarter increase.
  • www.scworld.com: SecurityWorld Article on Cloudflare's 2025 DDoS Mitigation
  • Blog: Cloudflare has reported a significant surge in distributed denial-of-service (DDoS) attacks, marking a new record in 2025.
  • Cyber Security News: Cloudflare mitigated a record 20.5 million DDoS attacks in the first quarter of 2025
  • Anonymous ???????? :af:: In 2025 Q1, Cloudflare blocked +20M attacks (a 358% YoY spike) along with 5.6 Tbps and 4.8 Bpps record-breaking attacks.
  • Cloudflare: DDoS attacks are surging. In 2025 Q1, Cloudflare blocked +20M attacks (a 358% YoY spike) along with 5.6 Tbps and 4.8 Bpps record-breaking attacks. Read more in our latest DDoS Threat Report 👉
  • The Cloudflare Blog: Targeted by 20.5 million DDoS attacks, up 358% year-over-year: Cloudflare’s 2025 Q1 DDoS Threat Report
  • BleepingComputer: Russia-aligned hacktivists persistently target key public and private organizations in the Netherlands with distributed denial of service (DDoS) attacks, causing access problems and service disruptions.
  • The DefendOps Diaries: Pro-Russian hacktivists disrupt Dutch public services with DDoS attacks, highlighting vulnerabilities and resilience in digital infrastructure.
  • www.bleepingcomputer.com: Russia-aligned hacktivists persistently target key public and private organizations in the Netherlands with distributed denial of service (DDoS) attacks, causing access problems and service disruptions.
  • bsky.app: Russia-aligned hacktivists persistently target key public and private organizations in the Netherlands with distributed denial of service (DDoS) attacks, causing access problems and service disruptions.

@aithority.com //
Cloudflare is significantly enhancing its platform for AI agent development, introducing new tools and features aimed at accelerating the creation and deployment of these autonomous systems. The company's Developer Week kicked off with the announcement of several advancements building upon the Agents SDK JavaScript framework released in February. These include industry-first remote Model Context Protocol (MCP) server, generally available access to durable Workflows, and a free tier for Durable Objects. These advancements are designed to drastically reduce the time it takes to build sophisticated AI agents, making the technology more accessible and affordable for developers.

Cloudflare's focus centers around the Model Context Protocol (MCP), an open standard that enables AI agents to directly interact with external services, shifting them from merely providing instructions to actively completing tasks. The newly introduced remote MCP server eliminates the previous limitation of running MCP locally, opening doors for wider adoption. Furthermore, Cloudflare is providing new Agents SDK capabilities to build remote MCP clients, with transport and authentication built-in, to allow AI agents to connect to external services. This also included integrations with Stytch, Auth0, and WorkOS to add authentication and authorization to your remote MCP server

The company's new tools address key challenges in AI agent development by simplifying integrations, managing client lifecycles, and assigning granular permissions. Stytch and Cloudflare have also partnered to secure Remote MCP servers with OAuth. This partnership solves the challenge of robust authorization for AI agents, enabling Remote MCP authorization via OAuth. By addressing these challenges, Cloudflare is positioning itself as a leading platform for building and scaling agentic AI, lowering the barrier to entry for developers and unlocking new possibilities for AI-driven automation.

Recommended read:
References :
  • Cloudflare: Cloudflare delivers toolkit for AI agents with new Agents SDK support for MCP (Model Context Protocol) clients, authentication/authorization/hibernation for MCP servers and Durable Objects free tier.
  • aithority.com: Cloudflare Accelerates AI Agent Development With The Industry’s First Remote MCP Server
  • techstrong.ai: Solo.io Adds MCP Gateway to Open Source API Management Platform
  • blog.cloudflare.com: Cloudflare delivers toolkit for AI agents with new Agents SDK support for MCP (Model Context Protocol) clients, authentication/authorization/hibernation for MCP servers and Durable Objects free tier.
  • The Cloudflare Blog: Piecing together the Agent puzzle: MCP, authentication & authorization, and Durable Objects free tier

Mandvi@Cyber Security News //
Netskope Threat Labs has uncovered a new evasive campaign that uses fake CAPTCHAs and CloudFlare Turnstile to deliver the LegionLoader malware. This sophisticated attack targets individuals searching for PDF documents online, tricking them into downloading malware that installs a malicious browser extension. This extension is designed to steal sensitive user data. The campaign has been active since February 2025 and has impacted over 140 customers.

The attack begins when victims are lured to malicious websites after searching for specific PDF documents. These sites present fake CAPTCHAs. Interacting with the fake CAPTCHA redirects the victim through a Cloudflare Turnstile page to a notification prompt. If the user enables browser notifications, they are directed to download what they believe is their intended document. However, this process executes a command that downloads a malicious MSI installer.

Upon execution, the MSI file installs a program named "Kilo Verfair Tools" which sideloads a malicious DLL, initiating the LegionLoader infection. The LegionLoader payload uses a custom algorithm to deobfuscate shellcode and then injects the payload into an "explorer.exe" process. This ultimately leads to the installation of a malicious browser extension, often masquerading as "Save to Google Drive". This extension steals sensitive information like clipboard data, cookies, and browsing history. The affected sectors include technology and business services, retail, and telecommunications.

Recommended read:
References :
  • Cyber Security News: LegionLoader Delivered Through Fake CAPTCHAs and Abused Cloudflare Turnstile by Threat Actors
  • cybersecuritynews.com: Threat Actors Using Fake CAPTCHAs and CloudFlare Turnstile to Deliver LegionLoader
  • gbhackers.com: Threat Actors Exploit Fake CAPTCHAs and Cloudflare Turnstile to Distribute LegionLoader
  • Virus Bulletin: The Netskope Threat Labs team discovered a campaign abusing fake CAPTCHA & CloudFlare Turnstile to deliver LegionLoader.
  • securityonline.info: New Evasive Campaign Uses Fake CAPTCHAs to Deliver LegionLoader
  • gbhackers.com: Threat Actors Exploit Fake CAPTCHAs and Cloudflare Turnstile to Distribute LegionLoader
  • Threat Labs - Netskope: The Netskope Threat Labs team discovered a campaign abusing fake CAPTCHA & CloudFlare Turnstile to deliver LegionLoader.

@The DefendOps Diaries //
Cloudflare is enhancing API security by closing all HTTP ports on api.cloudflare.com, enforcing HTTPS-only connections. This significant move aims to eliminate vulnerabilities associated with cleartext HTTP traffic, where sensitive information like API tokens could be intercepted by malicious actors or network intermediaries. By mandating HTTPS-only connections, Cloudflare is setting a new standard in cybersecurity practices, protecting against potential data leaks and enhancing the overall security posture.

The decision to block unencrypted traffic to API endpoints is a strategic response to the increasing sophistication of cyber threats. Even with automatic redirection from HTTP to HTTPS, a window of vulnerability exists where sensitive data could be transmitted over unencrypted channels. Cloudflare's proactive approach rejects cleartext connections at the transport layer, safeguarding organizations relying on APIs and reducing the risk of cyber threats. This aligns with Cloudflare's efforts to support AI adoption with a security-first approach, ensuring reliable and safe use of AI technologies.

Recommended read:
References :

Megan Crouse@eWEEK //
References: The Register - Software , eWEEK , OODAloop ...
Cloudflare has launched AI Labyrinth, a new tool designed to combat web scraping bots that steal website content for AI training. Instead of simply blocking these crawlers, AI Labyrinth lures them into a maze of AI-generated content. This approach aims to waste the bots' time and resources, providing a more effective defense than traditional blocking methods which can trigger attackers to adapt their tactics. The AI Labyrinth is available as a free, opt-in tool for all Cloudflare customers, even those on the free tier.

The system works by embedding hidden links within a protected website. When suspicious bot behavior is detected, such as ignoring robots.txt rules, the crawler is redirected to a series of AI-generated pages. This content is "real looking" and based on scientific facts, diverting the bot from the original website's content. Because no human would deliberately explore deep into a maze of AI-generated nonsense, anyone who does can be identified as a bot with high confidence. Cloudflare emphasizes that AI Labyrinth also functions as a honeypot, allowing them to identify new bot patterns and improve their overall bot detection capabilities, all while increasing the cost for unauthorized web scraping.

Recommended read:
References :
  • The Register - Software: Cloudflare builds an AI to lead AI scraper bots into a horrible maze of junk content
  • eWEEK: Crowdflare’s Free AI Labyrinth Distracts Crawlers That Could Steal Website Content to Feed AI
  • The Verge: Cloudflare, one of the biggest network internet infrastructure companies in the world, has announced AI Labyrinth, a new tool to fight web-crawling bots that scrape sites for AI training data without permission. The company says in a blog post that when it detects “inappropriate bot behavior,â€� the free, opt-in tool lures crawlers down a path
  • OODAloop: Trapping misbehaving bots in an AI Labyrinth
  • THE DECODER: Instead of simply blocking unwanted AI crawlers, Cloudflare has introduced a new defense method that lures them into a maze of AI-generated content, designed to waste their time and resources.
  • Digital Information World: Cloudflare’s Latest AI Labyrinth Feature Combats Unauthorized AI Data Scraping By Giving Bots Fake AI Content
  • Ars OpenForum: Cloudflare turns AI against itself with endless maze of irrelevant facts
  • Cyber Security News: Cloudflare Introduces AI Labyrinth to Thwart AI Crawlers and Malicious Bots
  • poliverso.org: Cloudflare’s AI Labyrinth Wants Bad Bots To Get Endlessly Lost
  • aboutdfir.com: Cloudflare builds an AI to lead AI scraper bots into a horrible maze of junk content Cloudflare has created a bot-busting AI to make life hell for AI crawlers.

@www.infosecurity-magazine.com //
References: gbhackers.com , securityonline.info , ...
Attackers are exploiting user familiarity with CAPTCHAs to distribute the Lumma Stealer RAT (Remote Access Trojan) via malicious PowerShell commands, according to recent findings. These campaigns involve tricking users into running PowerShell commands that ultimately install the Lumma Stealer. Attackers direct potential victims to attacker-controlled sites and prompt them to complete fake authentication challenges. These challenges often involve directing potential victims to malicious websites where they are prompted to complete verification steps, but instead of a CAPTCHA, it instructs them to press Windows + R and run a PowerShell command—under the false pretense of running “Windows Defender.”

These attacks leverage weaponized CAPTCHAs, with users being directed to malicious websites where they are prompted to complete verification steps. Upon completing these steps, users inadvertently copy and run PowerShell scripts that download and install malware, such as the Lumma Stealer. This allows the attackers to steal sensitive data like cryptocurrency wallets. The exploitation involves fake Cloudflare verification prompts, which lead users to execute malicious PowerShell commands to install the LummaStealer Trojan through infected WordPress sites, posing a significant threat.

Recommended read:
References :
  • gbhackers.com: Attackers Leverage Weaponized CAPTCHAs to Execute PowerShell and Deploy Malware
  • securityonline.info: Fake Cloudflare Verification Prompts Deliver LummaStealer Trojan Through Infected WordPress Sites
  • www.cisecurity.org: Active Lumma Stealer Campaign Impacting U.S. SLTTs
  • : Attackers Use Fake CAPTCHAs to Deploy Lumma Stealer RAT

John Engates@The Cloudflare Blog //
Cloudflare has announced an expansion of its Zero Trust platform to protect organizations against emerging quantum computing threats. The upgrade focuses on enabling post-quantum cryptography for corporate network traffic, allowing secure routing of communications from web browsers to corporate web applications. This provides immediate, end-to-end quantum-safe connectivity, addressing the increasing vulnerability of conventional cryptography to quantum computer attacks. Cloudflare has been actively developing and implementing post-quantum cryptography since 2017 and are already making post-quantum security free, by default, for all of its customers.

Organizations can tunnel their corporate network traffic through Cloudflare’s Zero Trust platform, thereby shielding sensitive data from potential quantum breaches. Over 35% of non-bot HTTPS traffic that touches Cloudflare is already post-quantum secure, with the expectation that this percentage will grow as more browsers and clients support post-quantum cryptography. The National Institute of Standards and Technology (NIST) is also encouraging this transition, setting a timeline to phase out conventional cryptographic algorithms like RSA and Elliptic Curve Cryptography (ECC) by 2030 and completely disallowing them by 2035.

Cloudflare's CEO Matthew Prince states "Cloudflare has long committed to making post-quantum security the new baseline for Internet security, delivering it to all customers so we can bolster defenses against future quantum threats. Now, we’re offering that protection built directly into our Zero Trust solutions". He continues "We want every Cloudflare customer to have a clear path to quantum safety, and we are already working with some of the most innovative banks, ISPs, and governments around the world as they begin their journeys to quantum security. We will continue to make advanced cryptography accessible to everyone, at no cost, in all of our products.”

Recommended read:
References :
  • The Cloudflare Blog: Conventional cryptography is under threat. Upgrade to post-quantum cryptography with Cloudflare Zero Trust
  • Quartz: Cloudflare is already selling security tools for the quantum computing era
  • Help Net Security: Cloudflare boosts defenses against future quantum threats
  • www.infosecurity-magazine.com: Cloudflare introduces E2E post-quantum cryptography, enhancing security against quantum threats