DDoS Attack Hits Record Breaking 5.6Tbps
Telegram Captcha Trick Lures Users into Running Malicious PowerShell Scripts
7-Zip Patch Released to Address Mark of the Web Bypass Vulnerability
MasterCard DNS Misconfiguration Exposed for Years
Supply Chain Attack Targets Chrome Extensions, Potentially Impacting Millions
DDoS Attack Hits Record Breaking 5.6Tbps
https://blog.cloudflare.com/ddos-threat-report-for-2024-q4/
Cloudflare has mitigated the largest DDoS attack ever recorded, peaking at a staggering 5.6 terabits per second (Tbps).1 This UDP-based attack, launched by a Mirai-based botnet of over 13,000 compromised devices, targeted an internet service provider (ISP) in Eastern Asia on October 29th, 2024.2
While the attack lasted only 80 seconds, it highlights the growing trend of hyper-volumetric DDoS attacks.3 These attacks, exceeding 1 Tbps, surged in the fourth quarter of 2024, with a quarter-over-quarter growth of 1,885%.4
Cloudflare observed a significant increase in short-lived attacks, with 72% of HTTP and 91% of network layer DDoS attacks lasting less than 10 minutes. This trend favors "blitz" attacks designed for maximum impact during peak usage periods.
Ransom DDoS attacks also saw a notable increase, peaking during the holiday season.5 Cloudflare emphasizes the need for automated DDoS protection services to effectively mitigate these rapid and powerful attacks.6
The most targeted sectors included telecommunications, service providers, internet services, and marketing/advertising. China, the Philippines, and Taiwan were the most frequently targeted regions.
Telegram Captcha Trick Lures Users into Running Malicious PowerShell Scripts
https://x.com/vxunderground/status/1881946956806926351
Cybercriminals are exploiting the recent pardon of Silk Road founder Ross Ulbricht to spread malware.
The attack leverages a "Click-Fix" tactic, where users are tricked into running malicious code disguised as a necessary step. In this case, fake Ross Ulbricht accounts on X (formerly Twitter) direct users to a Telegram channel.
Within the Telegram channel, users are presented with a fake "identity verification" process. This process culminates in a Telegram mini-app that automatically copies a PowerShell command to the user's clipboard.
Victims are then instructed to paste this command into the Windows Run dialog and execute it. This action downloads and executes a malicious script, potentially leading to the installation of Cobalt Strike, a powerful penetration testing tool often used by threat actors for malicious purposes.
This sophisticated attack highlights the importance of exercising extreme caution before executing any code received from unknown sources. Users should always verify the authenticity of any such requests and never blindly execute commands from untrusted sources.
7-Zip Patch Released to Address Mark of the Web Bypass Vulnerability
7-Zip users are urged to update to the latest version (24.09) immediately to address a critical security vulnerability (CVE-2025-0411). This flaw allows attackers to bypass the Mark of the Web (MotW) security warnings in Windows, potentially enabling them to execute malicious code on unsuspecting users' machines.
Introduced in June 2022, MotW flags downloaded files as potentially risky, prompting warnings when users attempt to open or run them. This additional layer of security helps prevent malware infections.
The newly patched vulnerability allowed attackers to exploit nested archives. When extracting malicious files from such archives, 7-Zip failed to propagate the MotW flag to the extracted files, essentially rendering the security warnings useless.
Fortunately, the 7-Zip developer released a fix on November 30th, 2024. However, due to the lack of auto-update functionality, many users might still be running vulnerable versions.
Given the potential severity of this exploit, it's crucial for all 7-Zip users to update to version 24.09 as soon as possible. This vulnerability is similar to others exploited in the past to deliver malware. Patching promptly is essential to stay protected.
MasterCard DNS Misconfiguration Exposed for Years
https://krebsonsecurity.com/2025/01/mastercard-dns-error-went-unnoticed-for-years/
A critical error in MasterCard's domain name system (DNS) configuration went unnoticed for nearly five years. This misconfiguration could have allowed attackers to intercept or divert internet traffic for a portion of the mastercard.com network.
The issue stemmed from a typo in one of the five DNS server names MasterCard uses at Akamai, a major internet infrastructure provider. These servers translate website names into numeric addresses for computers. Instead of ending in "akam.net" like the others, this particular server was named "akam.ne."
Philippe Caturegli, a security researcher, discovered the typo and registered the corresponding domain "akam.ne" for $300 to prevent malicious actors from exploiting it. Caturegli observed hundreds of thousands of DNS requests hitting his server daily, indicating others might have made similar typos.
Had Caturegli set up malicious services on "akam.ne," he could have potentially intercepted emails or even obtained website encryption certificates for affected domains. However, he responsibly reported the issue directly to MasterCard.
MasterCard downplayed the security risks, claiming there was "not a risk to our systems." Caturegli disputed this, highlighting the potential for attackers to leverage public DNS resolvers and long-lasting cached data to reroute a significant portion of traffic.
The incident underscores the importance of robust DNS configurations and responsible vulnerability disclosure practices. MasterCard has since corrected the error, but the episode raises concerns about potential security weaknesses in critical infrastructure.
Supply Chain Attack Targets Chrome Extensions, Potentially Impacting Millions
https://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/
A sophisticated supply chain attack has targeted Chrome extension developers, compromising dozens of extensions and potentially impacting millions of users.
The campaign involved phishing emails impersonating official Chrome Web Store communications. These emails lured developers into granting access to a malicious OAuth app, allowing attackers to upload compromised versions of their extensions.
The attack, which may have been ongoing since at least December 2023, targeted sensitive data like API keys and session cookies from services like ChatGPT and Facebook for Business.
While many compromised extensions have been removed from the Chrome Web Store, and developers have released updates, the full extent of the damage remains unclear.
This incident highlights the critical importance of robust security measures for developers and the need for constant vigilance against evolving phishing tactics.
Share this post