Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cloudfare. Show all posts
Malware Threat
AsyncRAT AsyncRAT attack Cloudfare Cyber Phishing Cyber Security Cyberattacks cybersecurity risks Malware Threat

AsyncRAT Campaign Abuses Cloudflare Services to Hide Malware Operations

 

Cybercriminals distributing the AsyncRAT remote access trojan are exploiting Cloudflare’s free-tier services and TryCloudflare tunneling domains to conceal malicious infrastructure behind widely trusted platforms. By hosting WebDAV servers through Cloudflare, attackers are able to mask command-and-control activity, making detection significantly more difficult for conventional security tools that often whitelist Cloudflare traffic. 

The campaign typically begins with phishing emails that contain Dropbox links. These links deliver files using double extensions, such as .pdf.url, which are designed to mislead recipients into believing they are opening legitimate documents. When the files are opened, victims unknowingly download multi-stage scripts from TryCloudflare domains. At the same time, a genuine PDF document is displayed to reduce suspicion and delay user awareness of malicious activity. 

A notable aspect of this operation is the attackers’ use of legitimate software sources. The malware chain includes downloading official Python distributions directly from Python.org. Once installed, a full Python environment is set up on the compromised system. This environment is then leveraged to execute advanced code injection techniques, specifically targeting the Windows explorer.exe process, allowing the malware to run stealthily within a trusted system component. 

To maintain long-term access, the attackers rely on multiple persistence mechanisms. These include placing scripts such as ahke.bat and olsm.bat in Windows startup folders so they automatically execute when a user logs in. The campaign also uses WebDAV mounting to sustain communication with command-and-control servers hosted through Cloudflare tunnels. 

The threat actors heavily employ so-called “living-off-the-land” techniques, abusing built-in Windows tools such as PowerShell, Windows Script Host, and other native utilities. By blending malicious behavior with legitimate system operations, the attackers further complicate detection and analysis, as their activity closely resembles normal administrative actions. 

According to research cited by Trend Micro, the use of Cloudflare’s infrastructure creates a significant blind spot for many security solutions. Domains containing “trycloudflare.com” often appear trustworthy, allowing AsyncRAT payloads to be delivered without triggering immediate alerts. This abuse of reputable services highlights how attackers increasingly rely on legitimate platforms to scale operations and evade defenses. 

Security researchers warn that although known malicious repositories and infrastructure may be taken down, similar campaigns are likely to reappear using new domains and delivery methods. Monitoring WebDAV connections, scrutinizing traffic involving TryCloudflare domains, and closely analyzing phishing attachments remain critical steps in identifying and mitigating AsyncRAT infections.
Read more »
DDOS Attack
Aisuru Botnet Cloudfare Cyber Attacks DDOS Attack

Aisuru Botnet Unleashes Record 29.7 Tbps DDoS Attack

 

A new record-breaking 29.7 Tbps distributed denial-of-service (DDoS) attack launched via the Aisuru botnet has set a new standard for internet disruption and reinforced that multi-terabit attacks are on track to soon be an everyday event for DDoS defenders. According to Cloudflare’s latest DDoS threats report, Aisuru launched an intense hyper-volumetric DDoS on a network layer with traffic that reached 29.7 Tbps and 14.1 billion packets per second, reaching new heights beyond previous records that topped 22 Tbps. 

The DDoS attack employed a UDP ‘carpet bombing’ technique that targeted 15,000 destination ports every second with random packet components constantly varying so as not to get filtered out at traditional scrubbing centers. Despite these efforts, Cloudflare reports that Aisuru traffic took mere seconds for an autonomous mitigation system to identify and remove. 

Behind the incident is a botnet Cloudflare now estimates at 1 million to 4 million compromised devices, making Aisuru the biggest DDoS botnet in active circulation. Since the start of 2025, Cloudflare has mitigated 2,867 Aisuru incidents, with 1,304 hyper-volumetric attacks in the third quarter alone - a 54% quarter-over-quarter increase that equates to about 14 mega-events a day. Segments of the botnet are openly leased as "chunks", allowing buyers to rent enough power to take down backbone connections or perhaps even national ISPs for mere hundreds or thousands of dollars apiece.

Cloudflare thwarted a total of 8.3 million DDoS attacks in the third quarter of 2025, a 15% increase from the prior quarter and 40% year-over-year, while marking the 2025 year-to-date total at 36.2 million - already 170% of all attacks recorded in 2024 and still one full quarter away. 

About 71% of Q3 attacks were network-layer traffic, which soared 87% QoQ and 95% YoY, while HTTP-layer events fell 41% QoQ and 17% YoY, indicating a strategic swing back to pure bandwidth and transport-layer exhaustion. The extremes are picked up the most: incidents over 100 Mpps jumped 189% QoQ, and those above 1 Tbps increased by 227%, though many ended within 10 minutes, too late for any effective intervention by manual actions or DDoS-on-demand mitigation programs.

Collateral damage continues to escalate as well. KrebsOnSecurity reports Aisuru-driven traffic has already caused severe outages at U.S. internet services not targeted as main victims. Cloudflare data shows Aisuru and actors like it have targeted telecoms, gaming, hosting, and financial services intensely. Information Technology and Services, telecoms, gambling and casinos are among the toughest hit sectors in Q3. 

Geopolitics and societal unrest are increasingly reflected in attack behavior. DDoS traffic against generative AI service providers jumped as high as 347% month-over-month in September, and DDoS attacks on mining, minerals and metals, and autos failed to lag as tensions escalated involving EV tariffs and China and the EU.

Indonesia continues as source number one for DDoS traffic, registering an astonishing 31,900% increase in HTTP DDoS requests since 2021, and there were sharp increases in Q3 2025 for the Maldives, France, and Belgium, reflecting massive protests and worker walkouts. China stayed the most‑targeted country, followed by Turkey and Germany, with the United States climbing to fifth and the Philippines showing the steepest rise within the top 10, underscoring how modern DDoS campaigns now track political flashpoints, public anger, and regulatory fights over AI and trade almost in real time.
Read more »
Login
CAPTCHA Cloudfare Cyber Security Internet Login

Cloudfare CAPTCHA Page Tricks Users Into Downloading Malware

Cloudfare CAPTCHA Page Tricks Users Into Downloading Malware

An advanced but simple phishing tactic is being distributed, it deploys fake Cloudflare CAPTCHA pages to target users with malware. 

A recent research by SlashNext says the technique, called  ClickFix tricks users into running commands that deploy malware. ClickFix shows a fake version of Cloudflare’s Turnstile CAPTCHA page. It replicates visual layout and technical elements like Ray ID identifier to look authentic. 

Prompt that users generally miss

The phishing site is hosted on a domain that looks like the real one, or an authentic website that has been attacked. When users visit the site, they are tricked into checking a box called “Verify you are human.” 

This step looks normal and doesn’t raise any suspicion but after this, the users are asked to run a series of commands such as “Win + R” then “Ctrl + V” and after that “Enter.” These steps look harmless but they use a PowerShell command. Once executed, it can extract malware such as Lumma, NetSupport Manager, and Stealc. 

According to security expert Daniel  Kelley, “ClickFix is a social engineering attack that tricks users into running malicious commands on their own devices – all under the guise of a routine security check.” ClickFix is dangerous because it uses standard security measures as attack tools.  

Experts call this “verification fatigue,” where a user clicks through various prompts without proper investigation. "In the context of a familiar-looking Cloudflare page, a user often assumes these extra steps are normal, especially if they’re in a hurry to reach some content. The instructions to press Win+R and Ctrl+V may raise an eyebrow for tech-savvy people, but an average user – seeing official logos and not understanding the implications – can be socially engineered into treating it as an advanced CAPTCHA," Slash reported in the blog.

This tactic doesn't depend on exploiting software flaws, it exploits trust and user habits. 

The phishing page is sent as a single HTML file but includes embedded scripts and hidden code to perform clipboard injections.

It uses genuine Windows utilities and doesn't download executables so that it can escape traditional identification tools. General defenses such as endpoint protection or antivirus software usually aim to detect binaries or suspicious downloads. 

In this incident, users were baited into activating the threat themselves. This underscores the need for sophisticated malware protection with zero-hour defense that can detect clipboard injections and malicious CAPTCHA screens in real-time. 

Read more »
Vulnerabilities and Exploits
Cloudfare Discord Signal User Privacy Vulnerabilities and Exploits

Cloudflare CDN Vulnerability Exposes User Locations on Signal, Discord

 

A threat analyst identified a vulnerability in Cloudflare's content delivery network (CDN) which could expose someone's whereabouts just by sending them an image via platforms such as Signal and Discord. While the attack's geolocation capability is limited for street-level tracking, it can provide enough information to determine a person's regional region and track their activities. 

Daniel's discovery is especially alarming for individuals who are really concerned regarding their privacy, such as journalists, activists, dissidents, and even cybercriminals. This flaw, however, can help investigators by giving them further details about the state or nation where a suspect might be. 

Covert zero-click monitoring

Daniel, a security researcher, found three months ago that Cloudflare speeds up load times by caching media resources at the data centre closest to the user. 

"3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius," explained Daniel. "With a vulnerable app installed on a target's phone (or as a background application on their laptop), an attacker can send a malicious payload and deanonymize you within seconds--and you wouldn't even know.” 

To carry out the information-disclosure assault, the researcher would transmit a message to an individual including a unique image, such as a screenshot or a profile avatar, stored on Cloudflare's CDN. 

Subsequently, he exploited a flaw in Cloudflare Workers to force queries through specific data centres via a new tool called Cloudflare Teleport. This arbitrary routing is typically prohibited by Cloudflare's default security limitations, which require that each request be routed from the nearest data centre. 

By enumerating cached replies from multiple Cloudflare data centres for the sent image, the researcher was able to map users' geographical locations based on the CDN returning the closest airport code to their data centre.

Furthermore, since many apps, like Signal and Discord, automatically download images for push notifications, an attacker can monitor a target without requiring user engagement, resulting in a zero-click attack. Tracking accuracy extends from 50 to 300 miles, depending on the location and the number of Cloudflare data centers nearby.
Read more »
User Data
Cloud Firm Cloudfare Data Breach Data Loss User Data

Faulty Upgrade at Cloudflare Results in User Data Loss

 

Cloudflare has disclosed a severe vulnerability with its logging-as-a-service platform, Cloudflare Logs, which resulted in user data loss due to an improper software update. The US-based connectivity cloud firm acknowledged that around 55% of log data generated over a 3.5-hour period on November 14, 2024, was permanently wiped out. This loss was caused by a succession of technical misconfigurations and system failures. 

Cloudflare logs collects event metadata from Cloudflare's global network and makes it available to customers for troubleshooting, compliance, and analytics. To speed up log delivery and avoid overloading users, the organisation uses Logpush, a system that collects and transmits data in manageable sums. An update to Logpush caused a series of system failures, disrupting services and resulting in data loss. 

The incident started with a configuration upgrade to enable support for an additional dataset in Logpush. A defect in the configuration generation system resulted in Logfwdr, a component responsible for forwarding logs, receiving an empty configuration. This error informed Logfwdr that no logs needed to be delivered. Cloudflare discovered the bug within minutes and reverted the update. 

However, rolling back the update triggered a separate, pre-existing issue in Logfwdr. This flaw, which was linked to a fail-safe technique designed to "fail open" in the event of configuration mistakes, caused Logfwdr to process and attempt to transmit logs for all customers, not just those with active setups. 

The unexpected rise in log processing overloaded Buftee, Cloudflare's log buffering system. Buftee is intended to keep distinct buffers for each customer to ensure data integrity and prevent interference between log operations. Under typical circumstances, Buftee manages millions of buffers worldwide. The large influx of data caused by the Logfwdr mistake boosted buffer demand by fortyfold, exceeding Buftee's capacity and rendering the system unresponsive. 

According to Cloudflare, addressing the issue needed a complete system reset and several hours of recovery time. During this time, the company was unable to transfer or recover the affected logs, which resulted in permanent data loss.

Cloudflare attributed the incident to flaws in its system security and configuration processes. While systems for dealing with such issues existed, they were not set up to handle such a large-scale failure. Buftee, for example, offers capabilities designed to handle unexpected surges in buffer demand, but these functions were not enabled, leaving the system vulnerable to overflow.

The company also stated that the fail-open mechanism in Logfwdr, which was established during the service's early development, has not been updated to match the much bigger user base and traffic levels. This error enabled the system to send logs for all clients, resulting in a resource spike that exceeded operational constraints. 

Cloudflare has apologised for the disruption and pledged to prevent similar instances in the future. The company is implementing new alerts to better detect configuration issues, improving its failover procedures to manage larger-scale failures, and doing simulations to verify system resilience under overload scenarios. 

Furthermore, Cloudflare is improving its logging design so that individual system components can better withstand cascading failures. While faults in complex systems are unavoidable, the company's priority is to minimise their impact and ensure that services recover fast. 

Last month, Cloudflare claimed successfully managing the largest recorded distributed denial-of-service (DDoS) assault, which reached 3.8 terabits per second (Tbps). The attack was part of a larger campaign aimed at industries such as internet services, finance, and telecommunications. The campaign consisted of over 100 hyper-volumetric DDoS attacks carried out over the course of a month, overwhelming network infrastructure with massive amounts of data.
Read more »
Online Security
Cloudfare CrowdStrike Cyber Attacks Cybersecurity Okta Data Breach Online Security

Cloudflare Faces Cybersecurity Breach in Okta Supply-Chain Attack



Cloudflare, a prominent Internet security and DDoS protection company, recently fell victim to a cyberattack linked to the widespread Okta supply-chain campaign last fall. The breach, affecting Cloudflare's Atlassian Bitbucket, Confluence, and Jira platforms, commenced on Thanksgiving Day.

Cloudflare, in collaboration with industry and government partners, determined that a nation-state attacker aimed to gain persistent and widespread access to its global network. Working with CrowdStrike, the company found that cyber attackers initially accessed the internal wiki (Confluence) and bug database (Jira). They later established persistence on the Atlassian server and proceeded to explore potential points of entry. The assailants successfully breached Cloudflare's source code management system (Bitbucket) and an AWS instance.

The analysis revealed the attackers sought information about the configuration and management of Cloudflare's global network. They accessed various Jira tickets related to vulnerability management, secret rotation, MFA bypass, network access, and the company's response to the Okta incident. Fortunately, due to network segmentation and a zero-trust authentication approach limiting lateral movement, the attackers were largely prevented from accessing critical systems.

Despite minimal access, Cloudflare took comprehensive measures, rotating over 5,000 production credentials, segmenting test and staging systems, and conducting forensic triages on nearly 5,000 systems. The company also reimaged and rebooted every machine in its global network and all Atlassian products.

Experts emphasise the severity of supply chain attacks, highlighting the risk of non-human access being exploited by attackers to gain high-privilege access to internal systems. This breach underscores the importance of monitoring both cloud-based and on-premises solutions.

Notably, Cloudflare identified the compromise's connection to a prior Okta breach in October. Okta, an identity and access management services provider, disclosed a compromise in its customer support case management system, exposing sensitive customer data. The attackers leveraged access tokens and service account credentials obtained during the Okta compromise. All threat actor access was terminated on November 24, according to CrowdStrike.

In response, Cloudflare conducted a thorough security remediation, emphasising the need for credential rotation after a security incident. Okta confirmed its prior notification to customers about the October security incident, urging them to rotate credentials and providing indicators of compromise.

This incident draws attention to the ongoing challenges posed by sophisticated cyber threats, making it clear that the importance of continuous vigilance and proactive security measures is substantial. The collaboration between companies and security experts remains crucial in mitigating the impact of such attacks.

As cybersecurity threats continue to evolve, it is imperative for organisations to stay informed, implement robust security practices, and prioritise swift responses to potential breaches.


Read more »
Unauthorized access
Cloudfare Dark Web Data Breach Domain Proxy Jacking Proxy Server Sensitive data SSH Unauthorized access

Proxyjacking Threat: Exploited SSH Servers for Sale on the Dark Web

A new attack targeting Secure Shell (SSH) servers has surfaced in the constantly changing world of cybersecurity. Concerningly, exploited SSH servers are now being provided as proxy pools on the dark web, which is a worrying trend. The integrity of global digital infrastructures as well as the security of sensitive data are seriously jeopardized by this trend.

The Proxyjacking Menace

Proxyjacking, as it is now termed, involves cybercriminals compromising SSH servers and selling them on the dark web as part of proxy pools. These servers are then used as a gateway for malicious activities, bypassing traditional security measures and gaining unauthorized access to networks. This technique allows attackers to conceal their true identity and location, making it difficult for cybersecurity professionals to trace and mitigate the threat.

Cloudflare, a prominent cybersecurity firm, highlights the significance of SSH in secure networking. SSH tunneling is a powerful tool for encrypting connections and safeguarding sensitive data during transmission. However, when these tunnels are breached, they become a potential point of vulnerability. Cloudflare emphasizes the need for robust security measures to protect against SSH-related threats.

SSH Tunneling and its Vulnerabilities

SSH tunneling is widely used to establish secure connections over untrusted networks. However, when improperly configured or outdated, SSH servers become susceptible to exploitation. Cybercriminals are quick to capitalize on these vulnerabilities, using compromised servers to launch attacks that can lead to data breaches, unauthorized access, and network compromise.

The exploitation of SSH servers for proxy jacking poses a significant risk to organizations and individuals alike. By leveraging these compromised servers, attackers can gain access to sensitive information, compromise critical systems, and disrupt operations. The consequences of such breaches can be severe, ranging from financial losses to reputational damage.

To defend against this emerging threat, organizations must prioritize the security of their SSH servers. Regularly updating and patching systems, implementing strong access controls, and employing advanced intrusion detection systems are essential to fortifying defenses against proxy jacking attacks. Furthermore, organizations should consider monitoring the dark web for any indications of compromised servers associated with their domains.

Proxyjacking has become more prevalent due to vulnerable SSH servers, which emphasizes the constant necessity for cybersecurity awareness. Being knowledgeable about new strategies and bolstering defenses are essential as cyber threats continue to change. Organizations may preserve their digital assets and shield themselves from the sneaky threat of proxyjacking by putting in place strong security measures and being diligent in monitoring for any breaches.



Read more »
Privacy
AI Chatbot API Attack Automated accounts CDN Cloudfare Data Fraud Firewall Privacy

Automated Bots Pose Growing Threat To Businesses

The capability to detect, manage, and mitigate bot-based requests has become of utmost importance as cyber attackers become more automated. Edgio, a company created by the merging of Limelight Networks, Yahoo Edgecast, and Layer0, has unveiled its own bot management service in response to this expanding threat. In order to compete with competing services from Web application firewall (WAF) providers and Internet infrastructure providers, the service focuses on leveraging machine learning and the company's Web security capacity to enable granular policy controls.

Bot management is not just about preventing automated attacks, but also identifying and monitoring good bots such as search bots and performance monitoring services. According to Richard Yew, senior director of product management for security at Edgio, “You definitely need the security solution but you also want visibility to be able to monitor good bot traffic.” In 2022, for example, the number of application and API attacks more than doubled, growing by 137%, according to Internet infrastructure firm Akamai. 

The impact of bots on businesses can be seen in areas such as inventory-hoarding attacks or ad fraud. As a result, bot management should involve all aspects of an organization – not just security. Sandy Carielli, principal analyst at Forrester Research noted that “bot management is not just about security being the decision-makers. If you're dealing with a lot of inventory-hoarding attacks, your e-commerce team is going to want to say in. If you're dealing with a lot of ad fraud, your marketing team will want to be in the room.”

Bot management systems typically identify the source of Web or API requests and then use policies to determine what to allow, what to deny, and which requests represent potentially interesting events or anomalies. Nowadays, 42% of all Internet traffic comes from automated systems — not humans — according to data from Imperva. To deal with this, Edgio inspects traffic at the edge of the network and only allows ‘clean’ traffic through its network. This helps stop attacks before they can impact other parts of the network. Content delivery networks (CDNs) such as Akamai, Cloudflare, and Fastly have also adopted bot management features as well.

Bot management is clearly becoming a more crucial issue for enterprises as automated attacks increase in frequency. Organizations require all-encompassing solutions to address this issue, involving teams from marketing, security, and e-commerce. Employing such technologies enables organizations to safeguard their resources from dangerous bot attacks while keeping track of reputable good bots. 


Read more »
Subscribe to: Comments (Atom)