Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label CloudFlare. Show all posts
trending news
CloudFlare cyber attack Cyber Attacks DDOS Attacks trending news

Cloudflare Blocks Largest DDoS Attack in History as Global Cyber Threats Surge

Cloudflare announced on Wednesday that it has detected and stopped the largest distributed denial of service (DDoS) attack ever recorded. 

The attack peaked at 29.7 terabits per second and lasted 69 seconds. The company said the traffic came from a botnet-for-hire called AISURU, which has been behind several extreme DDoS incidents over the past year. Cloudflare did not reveal the name of the targeted organization. 

AISURU has repeatedly targeted telecommunication companies, gaming platforms, hosting providers and financial services. 

Cloudflare said it also blocked another massive attack from the same botnet that reached 14.1 billion packets per second. Security researchers estimate that AISURU is powered by one to four million infected devices across the world. 

According to Cloudflare, the record-breaking event was a UDP carpet bombing attack that hit around 15,000 ports per second. The attackers randomised packet properties to get past defences, but Cloudflare’s automated systems detected and neutralised the traffic. Cloudflare has recorded 2,867 AISURU attacks since the beginning of 2025. 

Out of these, 1,304 hyper volumetric attacks happened in the third quarter of this year alone. In total, the company blocked 8.3 million DDoS attacks during the same period. That number is 15 percent higher than the previous quarter and 40 percent higher than the same period last year. 

So far in 2025, Cloudflare has mitigated 36.2 million DDoS attacks, and the year is not yet over. The company highlighted a rapid increase in network layer attacks, which now make up 71 percent of all recorded attacks. 

Meanwhile, HTTP DDoS attacks declined in comparison. The report also shows major changes in the global DDoS landscape. The number of attacks that went above 100 million packets per second jumped by 189 percent quarter over quarter. In addition, 1,304 attacks exceeded one terabit per second. 

Cloudflare noted that most attacks last for less than 10 minutes, which leaves very little time for manual intervention and can still cause long service disruptions. 

The list of attack sources is dominated by Asia. Indonesia has remained the world’s biggest source of DDoS attacks for an entire year, followed by other locations such as Thailand, Bangladesh, Vietnam, India, Hong Kong and Singapore. Ecuador, Russia and Ukraine make up the remaining top ten. 

Several industries have seen major increases in targeting. Attacks against the mining, minerals and metals sector rose sharply and pushed it to the 49th most attacked industry worldwide. The automotive industry experienced the largest jump and is now the sixth most attacked. 

DDoS attacks targeting artificial intelligence companies rose by 347 percent in September alone. Across all sectors, information technology and services faced the most attacks. Telecommunications, gambling, gaming and internet services were also among the hardest hit. 

The most attacked countries this year include China, Turkey, Germany, Brazil, the United States and Russia. Cloudflare said the scale and sophistication of current DDoS activity marks a turning point for global cybersecurity. 

The company warned that many organizations are struggling to keep up with attackers who now operate with far more power and speed than ever before.
Read more »
UDP flood
CloudFlare Cyber Attacks DDOS Attack FastNetMon IoT device security MikroTik routers packet-rate floods UDP flood

FastNetMon Mitigates 1.5 Billion PPS DDoS Attack Leveraging IoT Devices and MikroTik Routers

 

A massive distributed denial-of-service (DDoS) attack has been detected and mitigated by FastNetMon, targeting a DDoS protection vendor in Western Europe. According to the company, the attack surged to an astonishing 1.5 billion packets per second (pps), ranking among the largest packet-rate floods ever recorded.

FastNetMon revealed that the malicious traffic primarily consisted of UDP floods generated from hijacked customer-premises equipment (CPE), including IoT devices and MikroTik routers. The attack leveraged resources from over 11,000 networks worldwide. While the victim company wasn’t disclosed, FastNetMon confirmed it was a DDoS scrubbing provider, a service that filters malicious traffic during such cyberattacks.

“This event is part of a dangerous trend,” said Pavel Odintsov, founder of FastNetMon. “When tens of thousands of CPE devices can be hijacked and used in coordinated packet floods of this magnitude, the risks for network operators grow exponentially. The industry must act to implement detection logic at the ISP level to stop outgoing attacks before they scale.”

The incident was identified and mitigated in real time, with FastNetMon’s automated systems flagging the abnormal traffic within seconds. Defense measures included scrubbing technologies at the customer’s facility and deploying access control lists (ACLs) on routers vulnerable to amplification abuse.

FastNetMon highlighted that its platform, powered by optimized C++ algorithms, is specifically built to handle traffic events at such a scale. Thanks to these defenses, the targeted provider reportedly suffered no visible downtime or service disruption.

The news comes shortly after Cloudflare reported a record-breaking volumetric attack reaching 11.5 Tbps and 5.1 billion pps, underscoring the growing severity of both packet-rate floods and bandwidth-driven DDoS attacks.

“Taken together, the two incidents underline a rise in both packet-rate and bandwidth-driven floods, a trend that is pressuring the capacity of mitigation platforms worldwide,” FastNetMon said.

“What makes this case remarkable is the sheer number of distributed sources and the abuse of everyday networking devices. Without proactive ISP-level filtering, compromised consumer hardware can be weaponized at a massive scale,” the company added.
Read more »
VoidProxy
Adversary In The Middle CloudFlare Cyber Attacks Cybersecurity identity management MFA Multi Factor Authentication phishing Session Hijacking VoidProxy

VoidProxy Phishing Platform Emerges as Threat Capable of Bypassing MFA


 

Researchers in the field of cybersecurity are warning that a sophisticated phishing-as-a-service (PhaaS) platform known as VoidProxy is being used by criminal groups for the purpose of evading widespread security controls and is demonstrating just how far this technology has advanced in criminal groups' ability to circumvent widely deployed security controls. 

In the form of a specialised tool developed by cybercriminals to target high-value accounts neutralising the defences of multi-factor authentication (MFA), VoidProxy is specifically designed and marketed for cybercriminals. There is no question that VoidProxy, developed by researchers at Okta, the identity and access management company, is different from any other phishing kit out there. 

Rather than relying on advanced infrastructures and evasion techniques, it combines these attributes with commoditised accessibility to make it both effective and dangerous even for relatively low-skilled attackers. In particular, VoidProxy makes a great deal of sense because it relies heavily on adversary-in-the-middle (AiTM) phishing, a method of intercepting authentication flows in real time, which makes it particularly alarming. 

Using this method, cybercriminals are not only able to capture credentials, but they can also take possession of multi-factor authentication codes and session tokens generated during legitimate sign-in transactions. By bypassing these common authentication methods, VoidProxy can bypass the security measures offered by SMS-based codes and one-time passwords from authenticator apps, which are typically relied upon by organisations and individuals as a last resort. 

When it comes to VoidProxy's infrastructure, it demonstrates a combination of sophistication and cost-effectiveness that is second to none. This phishing site is hosted by its operators using low-cost top-level domains like .icu, .sbs, .cfd, .xyz, .top, and .home, making it easy to use and easily trackable. It is also important to note that the phishing content, delivered through Cloudflare's reverse proxy services, further obscures the phishing site's actual infrastructure. 

It is a layering of concealment that ensures researchers and defenders cannot determine the true IP address. The combination of this layering of concealment, in combination with its highly deceptive email campaigns, makes VoidProxy one of the most troubling emergences in the phishing service industry. In spite of the fact that the operation has never been reported until now, it demonstrates a level of maturity that is not often found in other phishing kits. 

Researchers at OKTA found that VoidProxy is capable of scaling attacks against large groups of victims, targeting enterprise users, who represent an invaluable entry point for fraud and data theft. In order to intercept authentication traffic, the service inserts itself between the victim and the authenticating service, thereby intercepting authentication traffic. As soon as credentials and multi-factor authentication data are captured, attackers can gain persistent access to a victim’s account, bypassing any protections that would otherwise make it difficult for them to access their account. 

It was only after Okta’s FastPass technology, a passwordless authentication service, identified and blocked a suspicious sign-in attempt via VoidProxy’s proxy network that a discovery of this kind was made. Researchers were able to unravel a much larger ecosystem of campaigns as a result of that single discovery, revealing a set of administrative panels and dashboards that cybercriminals were renting access to the service through the use of this service.

In recent days, the senior vice president of threat intelligence at Okta, Brett Winterford, described VoidProxy as “an example of phishing infrastructure that has been observed in recent years.” Both its ability to bypass the multi-factor authentication and its elaborate anti-analysis mechanisms have been criticised by Winterford. 

The VoidProxy phishing kit offers many layers of obfuscation, which differs from traditional phishing kits that can often be dismantled by tracking servers and blocking malicious domains. Phishing lures are sent through compromised email accounts, multiple redirect chains that make analysis a challenge, Cloudflare CAPTCHA, Workers that inspect and filter incoming traffic, and dynamic DNS that ensures the infrastructure is fast-moving. 

Using these techniques, the operation remained a secret until Okta discovered the operation, but the sophistication of the kit extended far beyond its technical defences. There are many ways attackers can distribute VoidProxy campaigns. The first is by sending phishing emails from compromised accounts linked to legitimate marketing and communication systems, such as Constant Contact, Active Campaign, and Notify Visitors, that are connected to VoidProxy campaigns. 

It is based on the reputation of established service providers that these lures will have a higher probability of escaping spam filters, allowing them to reach the inboxes of targeted users as soon as they click through, providing credentials. VoidProxy's response depends on what authentication the victim has configured.

Users who authenticate through single sign-on (SSO) are forwarded to phishing websites that are designed to harvest additional information from users, while non-federated users are directed directly to legitimate Microsoft and Google servers, while the phishing sites are designed to harvest additional information from users. In the end, affiliates deployed VoidProxy to harvest cookies through the AiTM proxy, which is hosted on an ephemeral infrastructure supported by dynamic DNS, thereby completing the final stage of the attack. 

By hijacking authenticated sessions through session cookies, attackers are able to gain access to the same level of functionality as legitimate users without the need to submit credentials repeatedly. Therefore, attackers can operate undetected until security teams detect unusual behaviour, resulting in the attacker inheriting trusted access. 

In addition to its accessibility, VoidProxy offers an administrative panel that enables paying affiliates to monitor the progress of their campaigns, as well as victim data. Due to the ease with which advanced phishing campaigns are conducted, a broader set of actors—from organised cybercrime groups to less sophisticated attackers- can engage in them as they become more familiar with the technology. 

Despite the fact that VoidProxy is a new and dangerous entrant into the phishing landscape, researchers emphasise the fact that not all defences against it are ineffective. Authenticators which are phishing-resistant, such as hardware security keys, passkeys, and smart cards, are proven to be able to block attackers from hijacking credentials or signing in through proxy infrastructure by preventing the attack. 

As a result of the research conducted by OKTA, it has been demonstrated that users equipped with these advanced authentication systems are less likely to be hacked or to be compromised via VoidProxy, but most organisations continue to rely on weaker methods of multi-factor authentication, such as SMS codes, which leaves them vulnerable to data interception. 

It has been Okta's intention to inform Google and Microsoft of VoidProxy's operations, to share intelligence with its SaaS partners, as well as to issue a customer advisory in response to the discovery. In addition to adopting phishing-resistant authentication, the company recommended that enterprises also take a broad set of security measures. 

There are several ways to do this, including limiting access to devices and networks based on trust, monitoring sign-in behaviour for anomalies, and providing users with streamlined mechanisms for reporting suspicious emails or log-in attempts. Additionally, it is crucial to cultivate a culture of cybersecurity awareness at the company. 

Employees should be trained on how to recognise phishing emails, suspicious login prompts, and common social engineering techniques, which can often lead to compromise in the organisation. Additionally, VoidProxy's rise also demonstrates a wider industry problem that the industry faces today: the proliferation of platform-based PHaaS that commoditises advanced attack techniques into a commodity. 

Other kits, such as EvilProxy, which was first reported in 2022, and Salty2FA, which was discovered earlier this year, have also demonstrated similar capabilities to bypass multi-factor authentication and hijack sessions in the past few years. In each successive platform, the stakes are raised for defenders, as techniques that were once reserved for highly skilled adversaries have become widely accessible to anyone willing to pay for access, which has raised the stakes for defenders. 

By lowering the technical barrier, these services are increasing the pool of attackers, resulting in an increase in phishing campaigns that are more effective than ever before, harder to detect, and more persistent in nature, and have a greater impact. With the emergence of VoidProxy, a critical change has been wrought in the cyber threat landscape that calls for a new approach to enterprise security. 

Legacy defences that depend solely on passwords or basic multiple-factor authentication methods will not suffice in the face of such adaptive adversaries. As a result of these threats, organisations need to create layers of security strategies, which are combined with proactive resilience, in order to protect themselves. 

Authenticators that can resist phishing attacks are essential for protecting the network from cyber threats, but in addition to them, businesses must be able to detect anomalies continuously, implement rapid incident response capabilities, and train their employees adequately. Collaboration across the cybersecurity ecosystem is also crucial. 

There is nothing more important than the importance of intelligence-sharing between vendors, enterprises, and researchers, as early detection of emerging threats and coordinated action can significantly reduce the damage caused by them. 

In today's rapidly evolving PhaaS platforms, enterprises have to change their approach from reactive defence to proactive adaptation, ensuring they are not just prepared to withstand today's attacks, but also prepared to anticipate tomorrow's attacks. Getting the most out of security is crucial in a digital world where trust itself has become one of the main targets. To be secure, one must be able to maintain agility and resilience.
Read more »
Workiva
Cloud Server CloudFlare CRM Cybersecurity Data Breach phishing Salesforce ShinyHunters Vulnerabilities Workday Workiva

Workiva Confirms Data Breach in Wake of Salesforce Security Incident


 

A recent cyberattack on Salesforce customers has prompted Workiva to disclose a breach linked to a recent wave of attacks, serving as a reminder of the increasing cybersecurity risks faced by global organisations. Workiva provides financial reporting, compliance, and audit software, as well as financial reporting and compliance software, based in the cloud. 

As the company confirmed, attackers have accessed a third-party customer relationship management system (CRM), exposing information about limited company contact details, including names, email addresses, phone numbers, and support ticket information. As an important note, Workiva stressed that its own platform and customer data remain safe and secure. 

According to the ShinyHunters extortion group, the breach is part of a broader campaign that has been carried out by the threat actors to gain unauthorized access to sensitive business information, including exploiting OAuth tokens and conducting voice phishing. As a result of these attacks, Workiva has warned customers that spear phishing attempts should not be ignored and emphasized that all official communications will continue to come from its verified support channels only. 

According to Workiva, whose cloud-based platform is widely used for financial reporting, compliance and audit processes, the breach could be traced back to unauthorized access to the customer relationship management system of a third party. There has been a breach of security at Adobe. 

In notifications sent to clients who may be affected, the company disclosed that attackers were able to access a limited set of business contact details, such as names, email addresses, phone numbers, and support tickets data. As Workiva clarified, its core platform and any customer data stored inside it have not been compromised, rather the intrusion originated via a connected third-party application that was managed by the vendor responsible for Workiva's customer relationship management system. 

Over 6,300 customers are included in the company, including 85 percent of Fortune 500 companies and prominent names like Google, T-Mobile, Delta Air Lines, Wayfair, Hershey, and Mercedes-Benz, so the company stressed the importance of staying vigilant and warned that the stolen data could be used to conduct spear-phishing scams. 

It was reiterated that Workiva would never solicit sensitive information by text or phone, nor would it seek to communicate with customers through official channels other than its trusted support channels, as a means of reassuring customers. Due to the fact that even the most prominent security vendors were not spared from the wave of intrusions, the cybersecurity community has been on their toes due to the wave of intrusions. 

A simple example of this, Cloudflare, reported that attackers bypassed traditional social engineering by exploiting credential compromises linked to Salesloft Drift, one of the third-party applications that are integrated with Salesforce, instead of taking advantage of traditional social engineering techniques. 

Using this access, threat actors were able to infiltrate Cloudflare's Salesforce environment on August 12, and spend two days mapping the system before conducting a rapid exfiltration operation which, within minutes of the operation, sucked off sensitive data, deleted log files and attempted to erase digital traces. 

Earlier, Palo Alto Networks confirmed that a similar breach had occurred during the period between August 8 and 18, with attackers leveraging stolen OAuth tokens to gain access to the Salesforce system that the Salesforce integration was integrated into. In this period, adversaries were able to extract customer contact information, sales records, and case data. 

After obtaining these items, the adversaries later scanned the stolen data for passwords and cloud service credentials, which were used to facilitate secondary attacks targeting AWS and Snowflake platforms. Analysts point out that these incidents do not imply that core defences have collapsed, but rather that trust dependencies within digital ecosystems are fragile. 

With the use of weak access controls and third-party connections, groups like Scattered Spider, Lapsus$, and ShinyHunters have exploited stolen data and ransom profits on underground channels to make a profit, raising the concern that a much bigger scope of exposure may be uncovered than has been revealed.

Despite being one of the world's largest HR software providers, Workday has confirmed that it also became a victim of a cyberattack campaign utilizing Salesforce's customer relationship management platform. There is a possibility that the incident, which was first reported on August 6, could have impacted the personal information of up to 70 million individuals as well as 11,000 corporate clients' business information. 

Despite Workday stressing that its core HR systems that are known as customer tenants remain unaffected by this attack, it admits that attackers were able to access business contact details in its Salesforce integration, including names, email addresses, phone numbers, and facsimiles. A growing list of victims has included Google, Cisco, Qantas, and Pandora as well as other large companies. 

The breach underscores how adversaries are increasingly targeting third-party service providers that are acting as gateways to vast amounts of personal data. As roughly 60% of Fortune 500 companies use Workday's platform for their digital supply chains, the incident emphasizes the risks involved in a digital supply chain that is interconnected. 

A number of security experts have warned that these SaaS and CRM systems, which were once treated as routine business tools, have now become very valuable attack surfaces for cyber criminals. As analysts point out that ShinyHunters seems to be the likely culprit, attention has now turned to their tactics, namely, phishing campaigns designed to trick employees into giving them their credentials by impersonating HR and IT staff. 

The breach has reignited debate among cybersecurity professionals regarding whether the breaches indicate the development of sophisticated social engineering techniques, or whether they reveal persistent shortcomings in organizational awareness and training. In light of the string of breaches tied to Salesforce integrations, enterprises have reached the point of reassessing, monitoring, and securing third-party platforms that are woven into the daily operation of their companies. 

The incidents were unprecedented in their scope and severity, and although some companies haven't been able to contain the fallout as quickly as others has, the incidents illustrate that even some of the most trusted vendors cannot be made to appear invulnerable. The majority of cybersecurity specialists believe that organizations need to build a wider security posture beyond perimeter defense, including vendor risk management and zero-trust frameworks, as well as tighter controls on identity and access. 

Auditing integrations on a regular basis, minimizing permissions granted through OAuth, and monitoring API usage are no longer optional safeguards, but are strategic imperatives in an environment where many attackers thrive on exploiting overlooked trust relationships in order to achieve the greatest possible gain. 

Additionally, greater focus on employee awareness about spear-phishing and impersonation schemes can be a critical component in reducing the chances of credential theft, which is an entry point that appears to be becoming more prevalent each year. In the case of organizations reliant on SaaS ecosystems, the lesson is clear - securing extended supply chains is as important as protecting internal infrastructure as it is in keeping business resilient, and the adaptors will be the ones best positioned to withstand the next wave of attack.
Read more »
website data
AI CloudFlare Perplexity Technology website data

Cloudflare Accuses AI Startup Perplexity of Bypassing Web Blocking Measures

 





Cloudflare has accused artificial intelligence company Perplexity of using hidden tactics to bypass restrictions designed to stop automated bots from collecting website data.

In a statement published Monday, Cloudflare said it had received multiple complaints from its customers claiming that Perplexity was still able to view and collect information from their sites, even though they had taken steps to block its activity. These blocks were implemented through a robots.txt file, a common tool that tells search engine bots which parts of a website they can or cannot access.

According to Cloudflare’s engineers, testing confirmed that Perplexity’s official crawler — the automated system responsible for scanning and indexing web content was being blocked as expected. However, the company claims Perplexity was also using other, less obvious methods to gain access to pages where it was not permitted.

As a result, Cloudflare said it has removed Perplexity from its list of verified bots and updated its own security rules to detect and block what it called “stealth crawling.” The company stressed that trustworthy crawlers should operate transparently, follow site owner instructions, and clearly state their purpose.

This dispute comes shortly after Cloudflare introduced new tools allowing website operators to either block AI crawlers completely or charge them for access. The move is part of a broader debate over how AI firms gather the large amounts of online data needed to train their systems.

When contacted by media outlets, Perplexity did not respond immediately. Later, company spokesperson Jesse Dwyer told TechCrunch that Cloudflare’s claims were exaggerated, describing the blog post as a “sales pitch.” Dwyer also argued that Cloudflare’s screenshots showed no actual data collection, and that one of the bots mentioned “isn’t even ours.”

Perplexity went further in its own blog post, criticizing Cloudflare’s actions as “embarrassing” and “disqualifying.”

The AI company has faced similar accusations before. Earlier this year, the BBC threatened legal action against Perplexity over claims it had copied its content without permission. Perplexity is one of several AI companies caught up in disputes over online data scraping, though some media organizations have instead chosen to sign licensing agreements with AI firms, including Perplexity.

As the tension between AI data gathering and online privacy grows, this case stresses upon the increasing push from technology infrastructure providers like Cloudflare to give site owners more control over how and whether, AI systems can collect their content.

Read more »
News
CloudFlare Cyber Security Cybersecurity DDOS Attack News

Cloudflare Thwarts Record-Breaking DDoS Attack as Global Threat Escalates

 

Cloudflare has successfully blocked the largest distributed denial-of-service (DDoS) attack ever recorded, marking a significant moment in the escalating battle against cyber threats. The attack peaked at an unprecedented 7.3 terabits per second (Tbps), targeting an unnamed hosting provider and unleashing 37.4 terabytes of data in just 45 seconds. Cloudflare’s Magic Transit service absorbed the blow, which was composed almost entirely—99.996%—of User Datagram Protocol (UDP) flood attacks. 

While UDP is commonly used for real-time applications like streaming and gaming due to its speed, that same characteristic makes it vulnerable to exploitation in high-volume cyberattacks. The remaining 0.004% of the traffic—about 1.3 GBps—included various amplification and reflection attack methods such as NTP reflection, Echo reflection, Mirai UDP flood, and RIPv1 amplification. This sliver alone would be enough to cripple most unprotected systems. 

What set this attack apart wasn’t just volume but velocity—it carpet-bombed an average of 21,925 destination ports per second, with peaks reaching 34,517 ports on a single IP address. The attack originated from over 122,000 unique IP addresses spanning 161 countries, with the most significant traffic coming from Brazil, Vietnam, Taiwan, China, Indonesia, and Ukraine. This historic attack is part of a growing wave of DDoS incidents. In the first quarter of 2025 alone, Cloudflare mitigated 20.5 million DDoS attacks—a staggering 358% increase from the same period last year. Nearly 700 of these were hyper-volumetric attacks, averaging eight per day and overwhelmingly leveraging network-layer vulnerabilities via UDP floods. 

Earlier this year, Cloudflare had also defended against a 6.5 Tbps strike linked to the Eleven11bot botnet, composed of tens of thousands of compromised webcams and IoT devices. The rise in DDoS activity is not just a technical issue—it’s being fueled by geopolitical tensions as well. According to Radware’s director of threat intelligence, Pascal Geenens, hacktivist DDoS attacks against U.S. targets surged by 800% in just two days in June, following U.S. involvement in the Israel-Iran conflict. Radware’s 2025 Global Threat Analysis Report highlights a 550% global increase in web-based DDoS attacks and a near 400% year-over-year growth in overall DDoS traffic volume. Experts warn that these attacks are only going to become more frequent and intense. To counter this threat, experts recommend a multi-layered defense strategy. 

Partnering with specialized DDoS mitigation providers such as Cloudflare, Akamai, Imperva, or Radware is essential for organizations that lack the infrastructure to defend against large-scale attacks. Blocking traffic from known malicious Autonomous System Numbers (ASNs) and using geoblocking can filter out harmful sources, although attackers often bypass these measures with spoofed IPs or botnets. Distributing network infrastructure can prevent single points of failure, while configuring routers and firewalls to block unsafe protocols like ICMP and FTP adds an additional line of defense. Businesses are also advised to work closely with their internet service providers to filter unnecessary traffic upstream. 

Deploying Web Application Firewalls (WAFs) is critical for defending against application-layer threats, and using multiple DNS providers with DNSSEC can ensure site availability even during attacks. Specialized tools like Wordfence for WordPress add another layer of protection for widely used platforms. Importantly, no single solution is sufficient. Organizations must adopt layered defenses and routinely test their systems through red team exercises using tools like HULK, hping3, or GoldenEye to identify vulnerabilities before attackers exploit them. Even small websites are no longer safe from DDoS campaigns. As cybersecurity journalist Steven Vaughan-Nichols noted, his personal site faces about a dozen DDoS attacks every week. In today's threat landscape, robust DDoS defense isn't a luxury—it’s a necessity.
Read more »
edge computing
Cloud Computing CloudFlare Cloudflare outage Computing Critical Infrastructure Cyber Security Data Safety data security Disruption edge computing

Cloudflare Explains Major Service Outage: Not a Security Breach, No Data Lost

 

Cloudflare has clarified that a widespread outage affecting its global services was not the result of a cyberattack or data breach. The company confirmed that no customer data was compromised during the disruption, which significantly impacted numerous platforms, including major edge computing services and some Google Cloud infrastructure. 

The issue began at approximately 17:52 UTC and was primarily caused by a complete failure of Workers KV, Cloudflare’s globally distributed key-value storage system. As a backbone for its serverless computing platform, Workers KV plays a crucial role in supporting configuration, identity management, and content delivery across many of Cloudflare’s offerings. When it went offline, critical functions across the ecosystem were immediately affected. 

In a post-incident analysis, Cloudflare revealed that the root cause was a malfunction in the storage infrastructure that underpins Workers KV. This backend is partially hosted by a third-party cloud service, which experienced its own outage—directly leading to the failure of the KV system. The ripple effects were far-reaching, disrupting Cloudflare services for nearly two and a half hours. 

Key services impacted included authentication platforms like Access and Gateway, which saw major breakdowns in login systems, session handling, and policy enforcement. Cloudflare’s WARP service was unable to register new devices, while Gateway experienced failures in DNS-over-HTTPS queries. CAPTCHA and login tools such as Turnstile and Challenges also malfunctioned, with a temporary kill switch introducing token reuse risks.  
Media services like Stream and Images were hit particularly hard, with all live streaming and media uploads failing during the incident. Other offerings such as Workers AI, Pages, and the AutoRAG AI system were rendered entirely unavailable. Even backend systems like Durable Objects, D1 databases, and Queues registered elevated error rates or became completely unresponsive.  

Cloudflare’s response plan now includes a significant architectural shift. The company will begin migrating Workers KV from its current third-party dependency to its in-house R2 object storage solution. This move is designed to reduce reliance on external providers and improve the overall resilience of Cloudflare’s services. 

In addition, Cloudflare will implement a series of safeguards to mitigate cascading failures in future outages. This includes new cross-service protections and controlled service restoration tools that will help stabilize systems more gradually and prevent sudden traffic overloads. 

While the outage was severe, Cloudflare’s transparency and swift action to redesign its infrastructure aim to minimize similar disruptions in the future and reinforce trust in its platform.
Read more »
takedown
CloudFlare Cybersecurity DOJ Europol FBI Infostealer Lumma malware Microsoft takedown

Global Operation Dismantles Lumma Malware Network, Seizes 2,300 Domains and Infrastructure

 

In a sweeping international crackdown earlier this month, a collaborative operation involving major tech firms and law enforcement agencies significantly disrupted the Lumma malware-as-a-service (MaaS) operation. This effort resulted in the seizure of thousands of domains and dismantling of key components of Lumma's infrastructure across the globe.

A major milestone in the operation occurred on May 13, 2025, when Microsoft, through legal action, successfully took control of around 2,300 domains associated with the malware. Simultaneously, the U.S. Department of Justice (DOJ) dismantled online marketplaces used by cybercriminals to rent Lumma’s services, while Europol’s European Cybercrime Center (EC3) and Japan’s Cybercrime Control Center (JC3) helped take down Lumma’s infrastructure in their respective regions.

"Between March 16, 2025, and May 16, 2025, Microsoft identified over 394,000 Windows computers globally infected by the Lumma malware. Working with law enforcement and industry partners, we have severed communications between the malicious tool and victims," said Steven Masada, Assistant General Counsel of Microsoft's Digital Crimes Unit.

Cloudflare, one of the key players in the effort, highlighted the impact of the takedown.

“The Lumma Stealer disruption effort denies the Lumma operators access to their control panel, marketplace of stolen data, and the Internet infrastructure used to facilitate the collection and management of that data. These actions impose operational and financial costs on both the Lumma operators and their customers, forcing them to rebuild their services on alternative infrastructure,” Cloudflare stated.

The operation saw contributions from companies like ESET, CleanDNS, Bitsight, Lumen, GMO Registry, and law firm Orrick. According to Cloudflare, the Lumma malware misused their platform to mask server IP addresses that were used to siphon off stolen credentials and sensitive data.

Even after suspending malicious domains, the malware managed to bypass Cloudflare’s interstitial warning page, prompting the company to reinforce its security measures.

"Cloudflare's Trust and Safety team repeatedly flagged domains used by the criminals and suspended their accounts," the company explained.

“In February 2025, Lumma’s malware was observed bypassing Cloudflare’s interstitial warning page, which is one countermeasure that Cloudflare employs to disrupt malicious actors. In response, Cloudflare added the Turnstile service to the interstitial warning page, so the malware could not bypass it." 

Also known as LummaC2, Lumma is a sophisticated information-stealing malware offered as a subscription-based service, ranging from $250 to $1,000. It targets both Windows and macOS systems, enabling cybercriminals to exfiltrate data from browsers and apps.

Once installed, Lumma can extract a broad range of data, including login credentials, credit card numbers, cryptocurrency wallets, cookies, and browsing history from popular browsers like Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium-based platforms. The stolen data is packaged and sent to attacker-controlled servers, where it is either sold on dark web marketplaces or used in follow-up cyberattacks.

Initially spotted in December 2022 on cybercrime forums, the malware quickly gained traction. Cybersecurity firm KELA reported its rapid rise in popularity among cybercriminals.

IBM X-Force’s 2025 threat intelligence report revealed a 12% year-on-year increase in the number of stolen credentials being sold online, largely driven by the use of infostealers like Lumma. Phishing campaigns delivering such malware have surged by 84%, making Lumma the most dominant player in this threat landscape.

Lumma has been linked to major malvertising campaigns affecting hundreds of thousands of users and has been used by notorious groups such as the Scattered Spider cybercrime collective.

Recently, stolen data linked to Lumma has played a role in high-profile breaches at companies like PowerSchool, HotTopic, CircleCI, and Snowflake. In some cases, infostealer malware has been used to manipulate internet infrastructure, such as the Orange Spain RIPE account hijacking incident that disrupted BGP and RPKI configurations.

On the day of the crackdown, the FBI and CISA jointly issued a security advisory outlining indicators of compromise (IOCs) and detailing the tactics, techniques, and procedures (TTPs) employed by threat actors using Lumma malware.


Read more »
Subscribe to: Comments (Atom)