Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label CloudFlare. Show all posts
takedown
CloudFlare Cybersecurity DOJ Europol FBI Infostealer Lumma malware Microsoft takedown

Global Operation Dismantles Lumma Malware Network, Seizes 2,300 Domains and Infrastructure

 

In a sweeping international crackdown earlier this month, a collaborative operation involving major tech firms and law enforcement agencies significantly disrupted the Lumma malware-as-a-service (MaaS) operation. This effort resulted in the seizure of thousands of domains and dismantling of key components of Lumma's infrastructure across the globe.

A major milestone in the operation occurred on May 13, 2025, when Microsoft, through legal action, successfully took control of around 2,300 domains associated with the malware. Simultaneously, the U.S. Department of Justice (DOJ) dismantled online marketplaces used by cybercriminals to rent Lumma’s services, while Europol’s European Cybercrime Center (EC3) and Japan’s Cybercrime Control Center (JC3) helped take down Lumma’s infrastructure in their respective regions.

"Between March 16, 2025, and May 16, 2025, Microsoft identified over 394,000 Windows computers globally infected by the Lumma malware. Working with law enforcement and industry partners, we have severed communications between the malicious tool and victims," said Steven Masada, Assistant General Counsel of Microsoft's Digital Crimes Unit.

Cloudflare, one of the key players in the effort, highlighted the impact of the takedown.

“The Lumma Stealer disruption effort denies the Lumma operators access to their control panel, marketplace of stolen data, and the Internet infrastructure used to facilitate the collection and management of that data. These actions impose operational and financial costs on both the Lumma operators and their customers, forcing them to rebuild their services on alternative infrastructure,” Cloudflare stated.

The operation saw contributions from companies like ESET, CleanDNS, Bitsight, Lumen, GMO Registry, and law firm Orrick. According to Cloudflare, the Lumma malware misused their platform to mask server IP addresses that were used to siphon off stolen credentials and sensitive data.

Even after suspending malicious domains, the malware managed to bypass Cloudflare’s interstitial warning page, prompting the company to reinforce its security measures.

"Cloudflare's Trust and Safety team repeatedly flagged domains used by the criminals and suspended their accounts," the company explained.

“In February 2025, Lumma’s malware was observed bypassing Cloudflare’s interstitial warning page, which is one countermeasure that Cloudflare employs to disrupt malicious actors. In response, Cloudflare added the Turnstile service to the interstitial warning page, so the malware could not bypass it." 

Also known as LummaC2, Lumma is a sophisticated information-stealing malware offered as a subscription-based service, ranging from $250 to $1,000. It targets both Windows and macOS systems, enabling cybercriminals to exfiltrate data from browsers and apps.

Once installed, Lumma can extract a broad range of data, including login credentials, credit card numbers, cryptocurrency wallets, cookies, and browsing history from popular browsers like Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium-based platforms. The stolen data is packaged and sent to attacker-controlled servers, where it is either sold on dark web marketplaces or used in follow-up cyberattacks.

Initially spotted in December 2022 on cybercrime forums, the malware quickly gained traction. Cybersecurity firm KELA reported its rapid rise in popularity among cybercriminals.

IBM X-Force’s 2025 threat intelligence report revealed a 12% year-on-year increase in the number of stolen credentials being sold online, largely driven by the use of infostealers like Lumma. Phishing campaigns delivering such malware have surged by 84%, making Lumma the most dominant player in this threat landscape.

Lumma has been linked to major malvertising campaigns affecting hundreds of thousands of users and has been used by notorious groups such as the Scattered Spider cybercrime collective.

Recently, stolen data linked to Lumma has played a role in high-profile breaches at companies like PowerSchool, HotTopic, CircleCI, and Snowflake. In some cases, infostealer malware has been used to manipulate internet infrastructure, such as the Orange Spain RIPE account hijacking incident that disrupted BGP and RPKI configurations.

On the day of the crackdown, the FBI and CISA jointly issued a security advisory outlining indicators of compromise (IOCs) and detailing the tactics, techniques, and procedures (TTPs) employed by threat actors using Lumma malware.


Read more »
URL
CloudFlare Cyber Attacks CyberCrime CyberThreat Phishing URL R2 URL

Phishing URL Blocking Failure Leads to Cloudflare Service Disruptions

 


Yesterday, Cloudflare attempted to block an unintentional phishing URL within its R2 object storage platform, causing an outage that affected multiple services for nearly an hour. The outage was caused by an attempt to prevent spammers from accessing the URL. Its scalable and cost-efficient object storage service is comparable to Amazon's S3 and offers seamless integration into Cloudflare's ecosystem. 

As an S3-compatible storage service, the platform enables users to store their data across multiple locations, ensures data availability and reliability, and offers cost-free data retrievals, ensuring users can access their data without worries. A Cloudflare employee responded to an abuse report regarding a phishing URL hosted on its R2 platform, which caused the outage which occurred during the blackout. 

Inadvertently, the employee disabled the entire R2 Gateway service instead of restricting access to the specific endpoint, resulting in a significant service disruption. To prevent phishing URLs on the R2 platform, it accidentally resulted in a widespread outage of several Cloudflare services for almost an hour due to an attempt to block a phishing URL on the platform. 

Object storage solution Cloudflare R2 is no-egress-fee and has the same functionality as Amazon S3 and enables free data retrieval as well as S3 compatibility, replication, and seamless integration with other Cloudflare services to ensure efficiency and scalability in the storage of objects. In the incident which occurred late last week, Cloudflare employees responded to a complaint regarding a phishing URL hosted on the R2 platform.

However, the mitigation attempt resulted in an unintended disruption of service availability, which negatively impacted the operations of the platform. In the primary incident window of Cloudflare R2, all users were experiencing 100% failure rates when accessing their buckets and objects within the platform. Specifically, services that relied on R2 were experiencing higher error rates and operational failures as a result of their particular usage of the platform, as explained in the table below. 

Cloudflare R2 Object Storage and several related services were affected by an incident which took place from 08:10 to 09:09 UTC and lasted for 59 minutes. As a result of the impacted service failures, Stream experienced an entirely complete failure in video uploads and streaming, whereas Images experienced a 100% failure rate in uploads and downloads of images. During the week, Cache Reserve was completely down, raising origin requests to an all-time high. 

It has been observed that Vectorize experienced 75% failure rates for queries and failed to accomplish inserts, upserts, and deletes. It also experienced a 100% failure rate for insert, upsert, and delete operations. Log Delivery suffered delays and data loss, with up to 13.6% of all logs for R2-related jobs and up to 4.5% for non-R2 delivery jobs. Furthermore, the Key Transparency Auditor's signature publishing and reading operations were completely inoperable. Several other services were indirectly affected, experiencing partial disruptions, but they were not directly impacted. 

The error rates at Durable Objects increased by 0.9% following a service restoration due to reconnections, whereas Cache Purge experienced 1.8% more HTTP 5xx errors, as well as a tenfold increase in latency, as well as Workers & Pages experiencing a deployment failure rate of 0.002%, which was specifically affecting R2 projects only. As a consequence of the outage, all operations involving the R2 platform failed between 08:14 UTC and 09:13 UTC, meaning that 100% of operations involving R2 encountered errors. 

Services reliant on the R2 platform also saw an increase in the failure rate for operations that depend on it. During the period between 09:13 and 09:36 UTC, when R2 systems had recovered, and client connections had been restored, a backlog of requests caused a temporary increase in the operational load on the metadata layer of R2 based on Durable Objects. In North America, it was observed that there was only a 0.09% increase in error rates observed during this period, indicating that the impact was less severe. 

According to CloudFlare, the incident was primarily caused by human error and the absence of critical safeguards, such as validation checks for high-impact actions. The company has taken immediate corrective measures in response to the issue. These include removing the capability of disabling systems from the abuse review interface and limiting access to the Admin API so that internal accounts can no longer shut down services. 

Cloudflare's provisioning processes will be improved to reduce the risk of recurrence in the future, and stricter access controls will be enforced further to mitigate the risk of repeat incidents in the future. Additionally, two-party approval systems will be implemented for high-risk actions to further mitigate risk. The measures are intended to ensure the integrity of the system and prevent unintended interruptions of service as a result of these actions.
Read more »
RATs
CloudFlare Cyber Attacks LNKs Malware Attack Malware Campaign Malware Trojan RATs

Abuse of Cloudflare Tunnel Service for Malware Campaigns Delivering RATs

 

Researchers have raised alarms over cybercriminals increasingly exploiting the Cloudflare Tunnel service in malware campaigns that predominantly distribute remote access trojans (RATs). This malicious activity, first detected in February, utilizes the TryCloudflare free service to disseminate multiple RATs, including AsyncRAT, GuLoader, VenomRAT, Remcos RAT, and Xworm. Cloudflare Tunnel service allows users to proxy traffic through an encrypted tunnel to access local services and servers over the internet without exposing IP addresses. 

This service is designed to offer added security and convenience by eliminating the need to open public inbound ports or set up VPN connections. With TryCloudflare, users can create temporary tunnels to local servers and test the service without requiring a Cloudflare account. However, threat actors have abused this feature to gain remote access to compromised systems while evading detection. A recent report from cybersecurity company Proofpoint observed that malware campaigns are targeting organizations in the law, finance, manufacturing, and technology sectors with malicious .LNK files hosted on the legitimate TryCloudflare domain. The attackers lure targets with tax-themed emails containing URLs or attachments leading to the LNK payload. 

Once launched, the payload runs BAT or CMD scripts that deploy PowerShell, culminating in the download of Python installers for the final payload. Proofpoint reported that an email distribution wave starting on July 11 sent out over 1,500 malicious messages, a significant increase from an earlier wave on May 28, which contained fewer than 50 messages. Hosting LNK files on Cloudflare offers several advantages to cybercriminals, including making the traffic appear legitimate due to Cloudflare’s reputation. 

Additionally, the TryCloudflare Tunnel feature provides anonymity, and the temporary nature of the subdomains makes it challenging for defenders to block them effectively. The use of Cloudflare’s service is not only free and reliable but also allows cybercriminals to avoid the costs associated with setting up their own infrastructure. 

By employing automation to evade blocks from Cloudflare, these criminals can use the tunnels for large-scale operations. A Cloudflare representative stated that the company immediately disables and takes down malicious tunnels as they are discovered or reported by third parties. Cloudflare has also implemented machine learning detections to better contain malicious activity and encourages security vendors to submit suspicious URLs for prompt action. 

In light of this increasing threat, it is crucial for organizations to remain vigilant and enhance their cybersecurity measures to defend against these sophisticated malware campaigns.
Read more »
Vulnerabilities and Exploits
Clock PoC CloudFlare CVE Cyberattacks CyberCrime Cybersecurity CyberThreat Vulnerabilities and Exploits

Breaking Down the Clock PoC Exploits Utilized by Hackers Within 22 Minutes

 


It has been shown that threat actors are swift in weaponizing available proof-of-concept (PoC) exploits in real attacks, often within 22 minutes of publicly releasing these exploits. In that regard, Cloudflare has published its annual Application Security report for 2024, which covers the period between May 2023 and March 2024 and identifies emerging threat trends. It has been observed that Cloudflare, which currently processes an average of 57 million requests per second of HTTP traffic, continues to experience an increase in scanning for CVEs, followed by command injection attacks and attempts to weaponize available proofs-of-concept. 

Attackers may exploit a new vulnerability in as little as 22 minutes after the release of a proof-of-concept (PoC), depending on the vulnerability. It has been found that between May 2023 and May 2024, Cloudflare will receive 37,000 threats, which is the most significant number since May 2023. According to Cloudflare's Application Security Report for 2024, hackers are becoming more sophisticated in their search for previously unknown software vulnerabilities, also known as CVEs. They take immediate action when they find them, identifying how to exploit them and attempting to inject commands into them to execute attacks as soon as possible. 

Several CVE vulnerabilities have recently been revealed as vulnerabilities, but hackers have already been able to exploit them within 22 minutes of their disclosure. It was reported in the open-source community that CVE-2024-27198, a vulnerability in JetBrains TeamCity, was exploited by hackers. As a result of the evaluated period, the most targeted vulnerabilities were CVE-2023-50164 and CVE-2022-33891 within Apache software, CVE-2023-29298, CVE-2023-38203, and CVE-2023-26360 within Coldfusion software, and CVE-2023-35082 within Mobile Iron software. CVE-2024-27198 is a characteristic example of how weaponization is developing at an extremely fast rate since it is a vulnerability in JetBrains TeamCity that allows authentication bypass. 

During a recent incident, Cloudflare picked up on the fact that an attacker deployed a PoC-based exploit 22 minutes after it had been published, giving defenders very little time to remediate the attack. There can only be one way of combating this speed, according to the internet firm, and that is through the use of artificial intelligence (AI) to rapidly come up with effective detection rules. As DDoS attacks continue to dominate the security threat landscape, targeted CVE exploits are becoming a greater concern as well in the coming years.

Over a third of all traffic is automated today, and there is a possibility that up to 93% of it is malicious. Approximately 60% of all web traffic now comes from APIs, but only a quarter of companies know which API endpoints they have. Moreover, enterprise websites typically have 47 third-party integrations that are part of their platform. Cloudflare has also been able to gather some valuable information from the study, which is that in the case of API security, companies are still relying on outdated, traditional methods of providing API security. 

In the case of traditional web application firewall (WAF) rules, a negative security model is typically used in the design of those rules. It is assumed that the vast majority of web traffic will be benign in this scenario. Several companies utilize a positive API security model, where strictly defined rules dictate the web traffic that is allowed, while all other access is denied. Cloudflare's network currently processes 57 million HTTP requests per second, reflecting a 23.9% year-over-year increase. The company blocks 209 billion cyber threats daily, which is an 86.6% increase compared to the previous year. These statistics underscore the rapid evolution of the threat landscape. 

According to Cloudflare's report covering Q2 2023 to Q1 2024, there has been a noticeable rise in application layer traffic mitigation, growing from 6% to 6.8%, with peaks reaching up to 12% during significant attacks. The primary contributors to this mitigation are Web Application Firewalls (WAF) and bot mitigations, followed by HTTP DDoS rules. There is an increasing trend in zero-day exploits and Common Vulnerabilities and Exposures (CVE) exploitation, with some exploits being utilized within minutes of their disclosure. 

Distributed Denial of Service (DDoS) attacks remain the most prevalent threat, accounting for 37.1% of mitigated traffic. In the first quarter of 2024 alone, Cloudflare mitigated 4.5 million unique DDoS attacks, marking a 32% increase from 2023. The motivations behind these attacks range from financial gains to political statements.
Read more »
Yahoo
AiTM Phishing CloudFlare Credential Harvester Cyber Attacks HTML smuggling JavaScript MFA Netskope Phishing Camapign Yahoo

Phishing Campaigns Exploit Cloudflare Workers to Harvest User Credentials

 

Cybersecurity researchers are raising alarms about phishing campaigns that exploit Cloudflare Workers to serve phishing sites designed to harvest user credentials associated with Microsoft, Gmail, Yahoo!, and cPanel Webmail. This attack method, known as transparent phishing or adversary-in-the-middle (AitM) phishing, employs Cloudflare Workers to act as a reverse proxy for legitimate login pages, intercepting traffic between the victim and the login page to capture credentials, cookies, and tokens, according to Netskope researcher Jan Michael Alcantara. 

Over the past 30 days, the majority of these phishing campaigns have targeted victims in Asia, North America, and Southern Europe, particularly in the technology, financial services, and banking sectors. The cybersecurity firm noted an increase in traffic to Cloudflare Workers-hosted phishing pages starting in Q2 2023, with a spike in the number of distinct domains from just over 1,000 in Q4 2023 to nearly 1,300 in Q1 2024. The phishing campaigns utilize a technique called HTML smuggling, which uses malicious JavaScript to assemble the malicious payload on the client side, evading security protections. 

Unlike traditional methods, the malicious payload in this case is a phishing page reconstructed and displayed to the user on a web browser. These phishing pages prompt victims to sign in with Microsoft Outlook or Office 365 (now Microsoft 365) to view a purported PDF document. If users follow through, fake sign-in pages hosted on Cloudflare Workers are used to harvest their credentials and multi-factor authentication (MFA) codes. "The entire phishing page is created using a modified version of an open-source Cloudflare AitM toolkit," Alcantara said. 

Once victims enter their credentials, the attackers collect tokens and cookies from the responses, gaining visibility into any additional activity performed by the victim post-login. HTML smuggling is increasingly favored by threat actors for its ability to bypass modern defenses, serving fraudulent HTML pages and other malware without raising red flags. One highlighted instance by Huntress Labs involved a fake HTML file injecting an iframe of the legitimate Microsoft authentication portal retrieved from an actor-controlled domain. This method enables MFA-bypass AitM transparent proxy phishing attacks using HTML smuggling payloads with injected iframes instead of simple links. 

Recent phishing campaigns have also used invoice-themed emails with HTML attachments masquerading as PDF viewer login pages to steal email account credentials before redirecting users to URLs hosting "proof of payment." These tactics leverage phishing-as-a-service (PhaaS) toolkits like Greatness to steal Microsoft 365 login credentials and bypass MFA using the AitM technique. The financial services, manufacturing, energy/utilities, retail, and consulting sectors in the U.S., Canada, Germany, South Korea, and Norway have been top targets. 

Threat actors are also employing generative artificial intelligence (GenAI) to craft effective phishing emails and using file inflation methods to evade analysis by delivering large malware payloads. Cybersecurity experts underscore the need for robust security measures and oversight mechanisms to combat these sophisticated phishing campaigns, which continually evolve to outsmart traditional detection systems.
Read more »
Spam Report
CloudFlare Cyber Attacks DDOS Attacks DNS Featured Spam Report

DDOS attack brings the Internet to its knees

The fight between a spam fighting company called "Spamhaus" and a web hosting company called "Cyberbunker" has slowed down a majority of the internet by making DNS resolving slow.



The reason behind the attack is that Spamhaus added the IP addresses of cyberbunker to its "spam" list due to Cyberbunker allowing almost any sort of content to be hosted hence also maybe the source for spam. So Cyberbunker attacked back and this attack also affected normal internet users.

The attack was possible because of the large number of vulnerable DNS servers that allow open DNS resolving.Simply put an attack exploiting this type of vulnerability makes use of the vulnerability of the DNS server to increase the intensity of the attack 100 fold.

The origins of these type of attacks goes back to the 1990's to an attack called "smurf attack"

But now the attack method has become more efficient and uses DNS amplification to flood the victim with spoofed requests which are sent to the DNS servers by using a botnet of compromised computers.The attack at its peak reached a speed of 300 Gbps making it the largest DDOS attack in history.

Cyberbunker which claims itself to be a supporter of free speech and defender against the "big bullies" seems to have now have stooped down to their level of using aggressive offensive methods that affect the normal functioning of the internet.This is not the way to go !

The people who run DNS resolvers are also equally responsible for these attacks as its their vulnerable servers that make these attacks possible, the internet community should come up with a PERMANENT solution to this problem.

Please read cloudflare's blog post for a detailed analysis : http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet
Read more »
Subscribe to: Posts (Atom)