Podcast Summary: Cybersecurity Today

Episode: Cloudflare Fends Off A Record Breaking 11.5 Tbps DDoS Attack
Host: Jim Love
Date: September 4, 2025

Episode Overview

This episode delivers a rapid-fire update on major cybersecurity incidents targeting organizations, infrastructure, and users worldwide. Host Jim Love covers Cloudflare’s defense against a record-setting DDoS attack, a WhatsApp zero-click exploit hitting Apple users, critical vulnerabilities in supermarket refrigeration systems, a mass leak of Ollama AI servers, cybercriminal ultimatums against Google, and Palo Alto Networks’ OAuth fallout. The discussion highlights the escalating scale and frequency of attacks, the dangers of misconfigurations, and the urgent need for updated security practices.

Key Discussion Points & Insights

1. Cloudflare Repels Largest Ever DDoS Attack

Details of the Attack
- Cloudflare fended off an unprecedented Distributed Denial-of-Service (DDoS) attack peaking at 11.5 Tbps (00:04).
- Attack lasted 35 seconds, described as "a tsunami of traffic hitting the Internet" (00:12).
- Initial suspicion pointed to Google Cloud, but it was later confirmed the source was a blend of compromised IoT devices and multiple cloud providers (00:23).
- The event is not isolated: Cloudflare reports this summer saw a "record number of DDoS attempts," marking a trend toward relentless, large-scale attacks (00:37).
- The 11.5 Tbps incident follows a previous 7.3 Tbps attack, indicating quickly increasing magnitudes (00:44).
Implications for Defenders
- Attackers now harness public cloud infrastructure for massive, rapid attacks.
- Defensive measures such as automation, rate limiting, and IP filtering are proclaimed "essential" rather than optional (00:51).
- Not all damaging attacks are large: persistent, multi-vector, or "smaller" DDoS efforts can still disrupt services (00:58).
- The main measure of resilience is service uptime: “The real measure of success is whether users stayed online, APIs stayed responsive and businesses stayed functional, even under fire.” (Jim Love, 01:03)
- The shift: DDoS attacks "aren’t rare, they’re relentless." (01:14)

2. WhatsApp 0-Click Exploit Targeting Apple Users

Exploit Details
- CVE-2025-55177: Allowed remote spyware installation with no user action required (01:20).
- Simply receiving a malicious WhatsApp message triggered the attack (01:27).
- Used over ~90 days, targeting fewer than 200 high-profile civil society individuals (01:33).
Security Response & Takeaways
- WhatsApp and Apple released rapid patches; emergency iOS and macOS updates were issued (01:40).
- WhatsApp uses the signal protocol, a gold standard in encryption, but device compromise overrides encryption at the device level:
  
  “If attackers compromise the device itself… they can access messages before they're encrypted and after they're decrypted.” (Jim Love, 01:48)
- Highly targeted but broadly relevant: techniques could be repurposed for corporate executives or anyone with valuable access.
- Defensive recommendations: Keep devices fully patched and consider Apple’s Lockdown Mode if at risk (01:58).

3. Frostbite 10 Vulnerabilities in Refrigeration and HVAC Controllers

Critical Infrastructure at Risk
- Ten severe vulnerabilities (“Frostbite 10”) found in Copeland E2 and E3 controllers, present in major grocery chains (02:10).
- Exploitable for remote, unauthenticated access—could let attackers change temperatures, disable systems, or install malicious updates (02:16).
- Many flaws exploited due to default passwords and unsigned firmware upgrades.
  
  “A significant contributing factor is the operational practice of using identical, easily guessed passwords…” (Jim Love quoting ARM, 02:30)
- Copeland issued a firmware patch (version 2.31 F01); recommends immediate migration from outdated E2 (02:36).
- US CISA expected to issue guidance (02:39).
Broader Lessons
- The attack demonstrates everyday IoT devices, when neglected, can threaten real-world infrastructure and supply chains (02:44).
- Emphasizes importance of strong password hygiene and operational discipline, beyond just patching (02:52).

4. Ollama AI Server Leak: Local Isn’t Always Private

AI Self-Hosting Gone Wrong
- Cisco Talos found over 1,100 publicly exposed Ollama servers, used for running local LLMs (03:04).
- Many endpoints open with no authentication, risking theft, poisoning, and resource hijacking (03:09).
  
  “Ironically, the very tool deployed to protect data and maintain control ends up leaking both when it isn't configured properly.” (Jim Love, 03:18)
Technical Details
- Ollama servers spin up a local HTTP service, accepting API requests.
- At least 20% of discovered servers were actively running models (03:13).
- Developers planning a “secure mode” (restricts to local network, enforces auth) but not yet issued (03:24).
Key Takeaway
- Self-hosting AI gives power and privacy, but brings the same security requirements as any Internet-facing service:
  
  “Self-hosting AI brings power and privacy, but it also brings … the same security responsibilities…” (03:29)

5. Hackers Issue Ultimatum to Google

Threats, Claims & Verification
- A group called “Scattered Lapsus Hunters” demanded Google fire two threat intelligence members, or risk leaked data (03:35).
- The Telegram post claimed affiliations with several infamous groups (Scattered Spider, Lapsus, Shiny Hunters) (03:41).
- Claims timed with a confirmed Salesforce vendor breach affecting Google, but no verified evidence Google itself was compromised (03:48).
  
  “So far the hackers have shown no evidence that they breached Google. And that's an important part.” (Jim Love, 03:53)
Rumor Management
- Responds to online rumors (for example, that Google allegedly asked users to change 2.5 billion passwords—Google denied this) (03:56).
- Stresses vigilance:
  
  “Scattered Spider, Lapsus, and Shiny Hunters should not be underestimated… Ignoring them outright would be reckless.” (Jim Love, 04:02)
- Suggests increased social engineering training for support staff.

6. Palo Alto Networks and OAuth Fallout

Incident Overview
- Attackers used stolen OAuth tokens to access Palo Alto's Salesforce system, exposing customer contact info and support case content (04:16).
- Breach was strictly limited to Salesforce; no evidence other systems or products were affected (04:21).
- Response: Revoked tokens, disabled integrations, rotated credentials, notified customers (04:23).
Supply Chain Scope
- Incident part of wider Drift/Salesloft supply chain compromise impacting other tech giants (Zscaler, Cloudflare, Google) (04:28).
- Warnings for organizations: Treat all tokens from affected suppliers as compromised.
Lessons on OAuth
- OAuth integrations “make life smoother,” but breaches can cascade widely:
  
  “When they break, they break hard and often far beyond where the original breach began.” (Jim Love, 04:35)
- Emphasizes token hygiene and continual monitoring as critical defenses.

Notable Quotes & Moments

On the scale of modern DDoS:

“A tsunami of traffic hitting the Internet for just 35 seconds. Thank heaven those precious seconds were enough to bring most defenses to their knees.” (Jim Love, 00:13)
On IoT security lapses:

“Part of what makes this exploitation easier—poor security practices, as ARM has put it. A significant contributing factor is the operational practice of using identical, easily guessed passwords.” (Jim Love quoting ARM, 02:30)
On social engineering threats:

“Ignoring them outright would be reckless. So until proven otherwise, these threats warrant some scrutiny and increased caution.” (Jim Love, 04:06)
On OAuth breaches:

“OAuth integrations make life smoother, but when they break, they break hard and often far beyond where the original breach began.” (Jim Love, 04:35)

Timestamps for Key Segments

Cloudflare’s DDoS Defense: 00:04–01:15
WhatsApp Zero-Click Attack: 01:20–02:06
Frostbite 10 Vulnerabilities: 02:10–02:55
Ollama Server Leaks: 03:04–03:30
Google Hacker Ultimatum: 03:35–04:13
Palo Alto OAuth Fallout: 04:16–04:41

Final Takeaways

Jim Love summarizes a week of mounting threats and emerging vulnerabilities, stressing that cybersecurity is a moving target. Enduring lessons include the need for robust automation, improved operational hygiene, vigilance against social engineering, responsible AI hosting, and strong supply chain monitoring.
As DDoS attacks reach Internet-breaking scale and attackers increasingly leverage cloud infrastructure, the security baseline for organizations must keep pace—or risk being left behind.

Transcript

A (0:01)

Cloudflare fends off Record breaking 11.5 TB per second DDoS flood WhatsApp 0 click exploit targets Apple users Frostbite 10 flaws expose supermarket refrigeration systems A mass leak of Ollama servers Hackers issue an ultimatum to Google and Palo Alto Networks is the next victim of the OAUTH fallout. This is cybersecurity today. I'm your host Jim Love. Cloudflare successfully defended against the largest volumetric DDoS attack ever recorded, clocking in at a staggering 11.5 terabits per second. A tsunami of traffic I know we use the word tsunami a lot. This is a tsunami of traffic hitting the Internet for just 35 seconds. Thank heaven those precious seconds were enough to bring most defenses to their knees. And at first Cloudflare pointed fingers at Google Cloud. But it was later clarified that the assault actually came from a mashup of compromised IoT devices and multiple cloud platforms. Indicators point to attackers harnessing the massive outbound bandwidth of public clouds to launch this ultra short, ultra intense attack. The attack didn't happen in isolation. Cloudflare reported it's been battling a record number of DDoS attempts this summer, saying their teams have been working overtime to keep services online. The 11.5 terabits per second spike was simply the most visible example in what has become a relentless barrage. The latest Milestone follows a 7.3-terabits attack just two months earlier. It signals a dangerous trend. DDoS now runs on cloud scale infrastructure and that means defenses must be equally massive and instant automation, rate limiting and IP filtering are no longer optional. They're essential, but size isn't everything. As fastnet Mon points out, smaller, persistent or multi vector attacks can slip through defenses and still cause real damage. The real measure of success is whether users stayed online, APIs stayed responsive and businesses stayed functional, even under fire. This event isn't just a technical milestone. It highlights how attackers are escalating both the volume and frequency of attacks. Defenders now face the reality that DDoS isn't rare, it's relentless. WhatsApp has patched a sophisticated zero click vulnerability CVE202555177. It was used to install spyware on Apple devices with no user interaction. Victims didn't have to click a link or open a file. Simply receiving a malicious message could trigger the attack. Amnesty International Security Lab confirmed that the campaign ran for almost 90 days starting in late May, but targeted fewer than 200 people. Most were high profile or high risk individuals in civil society. Apple issued emergency iOS and macros patches alongside WhatsApp's updates. Now, it's important to remember that WhatsApp relies on the signal protocol, considered a gold standard in encrypted messaging. Each device holds its own private key, and only the recipient can decrypt incoming messages. But if attackers compromise the device itself, as in this case, that encryption might offer little protection. If any, they can access messages before they're encrypted and after they're decrypted. Although these attacks were highly targeted, that doesn't make them irrelevant to everyone else. That same zero click technique could be aimed at any specific target if the attackers see a payoff, whether that's a journalist, an activist, a business executive, or someone with access to valuable corporate systems. For high risk users, keeping devices patched and enabling Apple's lockdown mode might be crucial steps to consider. Encryption protects messages in transit, but it doesn't shield them once the device has decrypted them. Once attackers have that, the question isn't who they can target, but who they choose to target. If you've been thinking about smart devices and waiting for the big attack, well, it might have happened. Security researchers have uncovered Frostbite 10, a cluster of 10 critical vulnerabilities in Copeland, E2 and E3 refrigeration and H Vac controllers that could give attackers remote, unauthenticated access to systems that keep food supplies safe. These controllers are widely used by major grocery chains like Kroger, Albertsons and Whole Foods. Exploits could let attackers manipulate temperatures, disable lighting, deploy malicious firmware, or execute root level commands. The flaws include predictable admin passwords, unsigned firmware upgrades, privilege escalation, and the ability to plant rogue updates. A reminder that part of what makes this exploitation easier poor security practices, as ARM has put it. A significant contributing factor is the operational practice of using identical, easily guessed passwords, which dramatically lowered the bar for attackers. In response, Copeland has released firmware version 2.31 F01 to address the flaws and recommends migrating from the now end of life E2 platform to the newer E3. The US Cybersecurity and Infrastructure Security Agency is expected to issue further guidance. This Frostbite 10 attack shows how everyday smart devices can become attack vectors and how something as basic as password reuse can open the door to devastating real world consequences. We definitely need an improvement in IoT security, but not just with patches and updates. We need to have effective and not sloppy practices. And speaking of sloppy practices, Cisco Talas has uncovered over 1,100 Ollama servers exposed to the public Internet, raising serious concerns for organizations running AI models locally. Ollama is designed to let users run large language models on their own hardware, offering privacy, control and and performance without relying on the cloud when you run it. Ollama spins up a lightweight HTTP service on your machine. Applications can send requests to that service the same way they'd call a cloud API. But everything runs locally. In theory, running locally keeps sensitive data private. But when these servers are left unsecured, the result is just the opposite. Attackers can extract model data, inject poison updates, or hijacked compute resources. How big is the problem? Well, Cisco scans found more than 1,000 exposed endpoints in just minutes, with about 20% actively running models and accepting requests. Many were left open with no authentication, making them easy targets for misuse. Ironically, the very tool deployed to protect data and maintain control ends up leaking both when it isn't configured properly. Ollama's developers are now talking about a secure mode to enforce safer defaults, like binding to local networks and requiring authentication by default. But that's just talk right now. Until then, the lesson is clear. Self hosting AI brings power and privacy, but it also brings the same security responsibilities as running any other Internet facing service. A self described hacker coalition called the Scattered Lapsus Hunters has publicly demanded that Google fire two members of its threat intelligence team, Austin Larson and Charles Carmichael, or risk the leak of Google's allegedly stolen data. As the time we went to air, there's been no evidence of a successful breach that's been verified yet. The ultimatum was posted to Telegram claiming ties to groups included Scattered Spider, Lapsus and Shiny Hunters. These hacker groups, famous for their social engineering and their ability to get credentials to major systems, said Google should halt investigations into their activity. And that timing coincides with August's confirmed breach at Salesforce by Shiny Hunters, which affected multiple customers, including Google. But that incident occurred at a vendor, not in Google's own systems. And so far the hackers have shown no evidence that they breached Google. And that's an important part. There have been rumors that have circulated. We reported on one that Google asked to change 2.5 billion passwords. Google has since said they said no such thing. So there's a lot of misinformation in this area as well. Google. Google has not yet commented publicly, so the claim remains unverified. But as I've mentioned earlier, Scattered Spider Lapsus and Shiny Hunters should not be underestimated. They've managed to socially engineer access to some credentials on some major companies. Ignoring them outright would be reckless. So until proven Otherwise, these threats warrant some scrutiny and increased caution. It would be very wise to do some focus training, particularly of your support people on social engineering. Palo Alto Networks has confirmed that attackers using stolen OAuth tokens gained access to its Salesforce system and exposed customer contact information and internal support case content. The breach was limited to Salesforce. No Palo Alto Networks, products, systems or service were compromised. According to Palo Alto Networks. Their teams quickly revoked tokens, disabled the drift integration, rotated credentials and began notifying customers. Now, this is one of several downstream compromises tied to the sales loft Drift supply chain incident. Other victims have included Zscaler, Cloudflare, and even Google, which warned customers to consider all sales loft tokens compromised. OAuth integrations make life smoother, but when they break, they break hard and often far beyond where the original breach began. Careful token hygiene and continuous monitoring are essential safeguards in today's interconnected landscape. And that's our show for today. You can reach me with tips, comments, and even some constructive criticism at our site, technewsday.com or CA. Take your pick. I'm your host, Jim Love. Thanks for listening.