1010.cx

  • Record-breaking 11.5 Tbps UDP Flood DDoS Attack Originated from Google Cloud Platform

    ·

    , ,

    Cloudflare, a company that provides web security and infrastructure, recently reported that it stopped a huge cyber attack.

    This attack reached a record high of 11.5 terabits per second (Tbps). It was a type of attack called a Distributed Denial-of-Service (DDoS) attack, specifically a UDP flood. Most of the attack came from compromised resources on the Google Cloud Platform.

    The company’s automated defense systems detected and neutralized the hyper-volumetric attack, which, despite its immense size, lasted for only about 35 seconds.

    An image shared by Cloudflare detailed the attack’s brief but powerful lifecycle, showing a rapid spike to 11.5 Tbps before being brought under control.

    Cloudflare confirmed its systems “autonomously detected and mitigated” the threat, highlighting the critical role of automated defenses in combating modern cyberattacks that can materialize and vanish in minutes.

    DDoS Attack Graph (Source: Cloudflare)

    This record-shattering event is not an isolated incident. According to Cloudflare, its security infrastructure has been under intense pressure over the past few weeks, having blocked “hundreds of hyper-volumetric DDoS attacks.”

    Among these was another significant assault that registered 5.1 billion packets per second (Bpps), demonstrating the diverse and persistent nature of the threats targeting online services.

    A UDP (User Datagram Protocol) flood is a type of DDoS attack where the attacker overwhelms a target server with a massive number of UDP packets.

    Because UDP is a “connectionless” protocol, the server can be quickly exhausted as it attempts to process and respond to each incoming packet, eventually rendering it unable to handle legitimate traffic.

    The origination of such a large-scale attack from a major public cloud provider like Google Cloud highlights a persistent challenge in the cybersecurity landscape.

    Malicious actors often exploit the vast resources and scalability of cloud platforms to build powerful botnets, capable of launching attacks with a magnitude that would be difficult to achieve with traditional hardware.

    Cloudflare has indicated that a more detailed technical analysis of the attack will be provided in an upcoming report.

    Find this Story Interesting! Follow us on Google NewsLinkedIn, and X to Get More Instant Updates.

    The post Record-breaking 11.5 Tbps UDP Flood DDoS Attack Originated from Google Cloud Platform appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Prompt Injection Attacks Can Exploit AI-Powered Cybersecurity Tools

    ·

    , , , ,

    Researchers have demonstrated that advanced prompt injection techniques can turn defensive AI agents into potent vectors for system compromise. The findings, detailed in a new preprint titled “Cybersecurity AI: Hacking the AI Hackers via Prompt Injection,” expose a fundamental architectural weakness in large language model (LLM)–based security tools that could upend trust in automated pen-testing […]

    The post Prompt Injection Attacks Can Exploit AI-Powered Cybersecurity Tools appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Threat Hunting Guide Designed for SOC Analysts and MSSPs

    ·

    , , ,

    Proactive threat hunting has become an essential discipline for Security Operations Center (SOC) analysts and Managed Security Service Providers (MSSPs).  Traditional detection methods often miss novel or sophisticated adversarial techniques, making it critical for security teams to leverage advanced tools and methodologies. ANY.RUN’s Threat Intelligence Lookup (TI Lookup) empowers analysts with granular insights into Indicators […]

    The post Threat Hunting Guide Designed for SOC Analysts and MSSPs appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Ukrainian Network FDN3 Launches Massive Brute-Force Attacks on SSL VPN and RDP Devices

    ·

    Cybersecurity researchers have flagged a Ukrainian IP network for engaging in massive brute-force and password spraying campaigns targeting SSL VPN and RDP devices between June and July 2025. The activity originated from a Ukraine-based autonomous system FDN3 (AS211736), per French cybersecurity company Intrinsec. “We believe with a high level of confidence that FDN3 is part of a wider abusive

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Ukrainian Hackers Ramp Up Brute-Force and Password-Spraying Attacks on VPN and RDP Systems

    ·

    , ,

    In mid-2025, a coalition of Ukraine-based autonomous systems orchestrated unprecedented brute-force and password-spraying campaigns against exposed SSL VPN and Remote Desktop Protocol (RDP) services, overwhelming security defenses and highlighting the growing sophistication of state-linked cyber-infrastructure. Over a concentrated three-day period in July 2025, the network operated under AS211736 (“FDN3”), allocated to FOP Dmytro Nedilskyi, unleashed […]

    The post Ukrainian Hackers Ramp Up Brute-Force and Password-Spraying Attacks on VPN and RDP Systems appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Lazarus Hackers Deploying Three RATs on Compromised Systems Possibly Using 0-Day Vulnerability

    ·

    , ,

    A sophisticated subgroup of the Lazarus threat actor has surfaced in recent months, deploying three distinct remote access trojans (RATs) across compromised financial and cryptocurrency organizations.

    Initial access has primarily been achieved via tailored social engineering campaigns on Telegram, where attackers impersonate legitimate employees of well-known trading firms.

    Victims are lured to counterfeit meeting websites, such as fake Calendly and Picktime portals, where a suspected Chrome zero-day exploit then facilitates silent code execution on the victim’s machine.

    Once inside the network, the attackers immediately deploy PondRAT as a first-stage loader, followed by the stealthier ThemeForestRAT running purely in memory.

    After several months of reconnaissance and lateral movement, the Lazarus subgroup cleans up earlier artifacts and installs the more advanced RemotePE RAT to solidify long-term access.

    Fox-IT and NCC Group analysts noted that the speed and precision of this infection chain underscore the actor’s advanced capabilities and deep familiarity with both custom and publicly available tooling.

    The impact of this campaign extends beyond simple credential theft: the trio of RATs enables file manipulation, shellcode injection, RDP session monitoring, and secure file exfiltration.

    Organizations in decentralized finance (DeFi) have reported significant disruptions, with hidden backdoors allowing continuous data harvesting and opportunistic lateral pivots for subsequent supply-chain intrusions.

    Despite widespread awareness of Lazarus activity, this subgroup’s use of fresh malware families and suspected zero-day exploits has caught many defenders off guard.

    Adding urgency, the group’s refined operational security demonstrates an ability to blend custom loaders with Windows phantom DLL hijacking and DPAPI encryption.

    Attack chain (Source – Fox-IT)

    Analysts identified that PerfhLoader abuses the SessionEnv service via phantom DLL loading to persistently execute PondRAT or its predecessor POOLRAT.

    Telegram phishing message impersonating trading company employee (Source – Fox-IT)

    The loader decrypts an opaque payload file (e.g., perfh011.dat) using a rolling XOR cipher before in-memory execution.

    Below we have mentioned all three RATS:-

    • PondRAT
    • ThemeForestRAT
    • RemotePE

    Infection Mechanism: Rolling XOR Decryption and In-Memory Execution

    A critical element in the Lazarus infection mechanism lies in the decryption and loading of encrypted payloads directly into process memory.

    PerfhLoader, a lightweight custom loader, resides in %SystemRoot%\System32\ and reads a seemingly innocuous DLL file encrypted via a rolling XOR algorithm.

    PerfhLoader loaded through SessionEnv service via Phantom DLL Loading which in turn loads PondRAT or POOLRAT (Source – Fox-IT)

    The Python pseudocode below illustrates this cipher, which continually mutates its key with each processed byte:

    def crypt_buf(data: bytes) -> bytes:
    xor_key = bytearray(range(0x10))
    buf = bytearray(data)
    for idx in range(len(buf)):
        a = xor_key[(idx + 5) & 0xF]
        b = xor_key[(idx - 3) & 0xF]
        c = xor_key[(idx - 7) & 0xF]
        xor_byte = a ^ b ^ c
        buf[idx] ^= xor_byte
        xor_key[idx & 0xF] = xor_byte
    return bytes(buf)

    By employing this ever-evolving XOR key, the loader thwarts signature-based detection and forensic carving of its payload.

    After decrypting, PerfhLoader leverages an open-source manual DLL loader to inject PondRAT into memory without writing executable files to disk, enabling stealthy reconnaissance and data exfiltration operations.

    This in-memory execution strategy, combined with a suspected Chrome zero-day for initial compromise, underlines the threat actor’s sophistication and justifies heightened vigilance among cybersecurity professionals.

    Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

    The post Lazarus Hackers Deploying Three RATs on Compromised Systems Possibly Using 0-Day Vulnerability appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • New WhatsApp Scam Poses Serious Risk: Hackers Can Hijack Your Chats

    ·

    , ,

    Users of the popular messaging app WhatsApp are being targeted by a new, highly deceptive scam that grants attackers full access to victims’ contacts, chat history, and media files. Cybercriminals are exploiting the app’s device linking feature to hijack accounts, then using the compromised profiles to spread further malicious links to unsuspecting friends and family. […]

    The post New WhatsApp Scam Poses Serious Risk: Hackers Can Hijack Your Chats appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Microsoft to Retire Popular Editor Extensions on Edge and Chrome

    ·

    , , ,

    Microsoft announced that its AI-powered Editor browser extensions for Microsoft Edge and Google Chrome will be retired effective October 31, 2025. With this move, the company aims to streamline its writing-assistance offerings by integrating the core capabilities of Microsoft Editor directly into Microsoft Edge’s built-in proofing experience. No administrative action is required; users can continue […]

    The post Microsoft to Retire Popular Editor Extensions on Edge and Chrome appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • HashiCorp Vault Vulnerability Let Attackers to Crash Servers

    ·

    , , ,

    A critical denial-of-service vulnerability in HashiCorp Vault could allow malicious actors to overwhelm servers with specially crafted JSON payloads, leading to excessive resource consumption and rendering Vault instances unresponsive. 

    Tracked as CVE-2025-6203 and published on August 28, 2025, the flaw affects both Vault Community and Enterprise editions from version 1.15.0 up to several patched releases. 

    Operators are urged to upgrade to Vault 1.20.3 (Community and Enterprise), 1.19.9, 1.18.14, or 1.16.25 to mitigate the issue.

    Memory-Based DoS Vulnerability

    Vault’s audit devices are responsible for logging every request interaction before completing the request. 

    A malicious user can submit a payload that meets the default max_request_size limit (32 MiB by default) but leverages deeply nested JSON structures or excessive entries to force extreme CPU and memory usage in the audit subroutine. 

    As the JSON parser recurses through long string values or high object entry counts, memory consumption spikes, triggering timeouts and causing the Vault server to become unresponsive.

    HashiCorp has introduced new listener configuration options to further harden Vault against abusive JSON payloads. The TCP listener may now be configured with:

    • max_json_depth: Maximum nesting depth for JSON objects.
    • max_json_string_value_length: Maximum length for string values.
    • max_json_object_entry_count: Maximum number of key/value pairs in an object.
    • max_json_array_element_count: Maximum elements in a JSON array.

    Operators can find detailed guidance in the API documentation for listener parameters and the Vault upgrade guide.

    HashiCorp acknowledges Darrell Bethea, Ph.D., of Indeed for responsibly reporting this vulnerability.

    Risk FactorsDetails
    Affected ProductsVault Community and Vault Enterprise 1.15.0 through 1.20.2, 1.19.8, 1.18.13, and 1.16.24
    ImpactDenial of Service
    Exploit PrerequisitesNetwork access to Vault listener; ability to submit HTTP API requests with crafted JSON payloads
    CVSS 3.1 Score7.5 (High)

    Mitigations

    To remediate CVE-2025-6203, customers should upgrade to one of the patched versions: Vault Community Edition 1.20.3 or Vault Enterprise editions 1.20.3, 1.19.9, 1.18.14, or 1.16.25. 

    Upgrading will enable built-in limits on JSON payload complexity, preventing the excessive recursion that triggers the Denial of Service. 

    Administrators are also encouraged to review their max_request_size settings and apply listener-level constraints to JSON parsing as part of a defense-in-depth strategy.

    Find this Story Interesting! Follow us on Google NewsLinkedIn, and X to Get More Instant Updates.

    The post HashiCorp Vault Vulnerability Let Attackers to Crash Servers appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • MobSF Security Testing Tool Vulnerability Let Attackers Upload Malicious Files

    ·

    , , ,

    A critical flaw in the Mobile Security Framework (MobSF) has been discovered, allowing authenticated attackers to upload and execute malicious files by exploiting improper path validation. 

    The vulnerability, present in version 4.4.0 and patched in 4.4.1, underscores the importance of rigorous sanitization when handling user‐supplied file paths and archives.

    Key Takeaways
    1. MobSF v4.4.0 allowed attackers to exploit file path flaws to access sensitive files.
    2. These vulnerabilities risked data leaks and system corruption.
    3. Update and secure the platform.

    Directory Traversal Vulnerability (CVE-2025-58161)

    The first issue resides in the download handler implemented in MobSF/views/home.py. The function naively strips the /download/ prefix and concatenates the remaining string to the configured settings.DWD_DIR using Python’s Path API:

    MobSF Security Testing Tool Vulnerability

    Here, is_safe_path() uses os.path.commonprefix() to verify that the resolved check_path begins with the safe_root. 

    However, since commonprefix compares raw strings, a sibling directory named /home/mobsf/.MobSF/downloads_bak is incorrectly considered inside /home/mobsf/.MobSF/downloads. By issuing a request like:

    MobSF Security Testing Tool Vulnerability

    An attacker can retrieve any file with an allowed extension from the sibling directory. 

    This Directory Traversal vulnerability (CVE-2025-58161) carries a Low severity rating (CVSS 3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N) and affects all installations using version 4.4.0 of the mobsf package.

    Absolute Path Slip Vulnerability

    A second, more severe weakness (CVE-2025-58162) affects the AR archive extraction logic in mobsf/StaticAnalyzer/views/common/shared_func.py. 

    The ar_extract() function decodes each archive member name and filters only for relative‐path traversals (.., %2e%2e, etc.), neglecting absolute filenames:

    MobSF Security Testing Tool Vulnerability

    When filtered begins with /, Path(dst) / filtered resolves to the absolute path. An attacker-controlled .a archive containing a member like /home/mobsf/.MobSF/db.sqlite3 results in overwriting the database file outside the intended static_objects directory. 

    Demonstrations showed that uploading a crafted archive triggers a server error and corrupts the SQLite database, leading to malfunctioning scans and potential Stored XSS by tampering with static templates.

    This Moderate severity flaw (CVSS 3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H) enables arbitrary file writes under the MobSF process’s privileges, risking distortion of analysis results, integrity compromise, and service disruption.

    CVE IDTitleCVSS 3.1 ScoreSeverity
    CVE-2025-58161Path Traversal in MobSF Download Route0Low
    CVE-2025-58162Arbitrary File Write via .a Archive Extraction7.4Moderate

    Mitigation 

    Credit for discovering these vulnerabilities goes to Vasily Leshchenko (Solar AppSec) and the reporter noname1337h1. 

    Both issues have been addressed in MobSF 4.4.1. Users should upgrade immediately. Recommended fixes include:

    • Rejecting absolute paths by normalizing input with os.path.isabs() checks.
    • Using os.path.commonpath() instead of commonprefix() for robust directory boundary enforcement.
    • Ensuring archive extraction always verifies that normalized target paths remain under the intended root.

    Find this Story Interesting! Follow us on Google NewsLinkedIn, and X to Get More Instant Updates.

    The post MobSF Security Testing Tool Vulnerability Let Attackers Upload Malicious Files appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶