A

Cloudflare fends off Record breaking 11.5 TB per second DDoS flood WhatsApp 0 click exploit targets Apple users Frostbite 10 flaws expose supermarket refrigeration systems A mass leak of Ollama servers Hackers issue an ultimatum to Google and Palo Alto Networks is the next victim of the OAUTH fallout. This is cybersecurity today. I'm your host Jim Love. Cloudflare successfully defended against the largest volumetric DDoS attack ever recorded, clocking in at a staggering 11.5 terabits per second. A tsunami of traffic I know we use the word tsunami a lot. This is a tsunami of traffic hitting the Internet for just 35 seconds. Thank heaven those precious seconds were enough to bring most defenses to their knees. And at first Cloudflare pointed fingers at Google Cloud. But it was later clarified that the assault actually came from a mashup of compromised IoT devices and multiple cloud platforms. Indicators point to attackers harnessing the massive outbound bandwidth of public clouds to launch this ultra short, ultra intense attack. The attack didn't happen in isolation. Cloudflare reported it's been battling a record number of DDoS attempts this summer, saying their teams have been working overtime to keep services online. The 11.5 terabits per second spike was simply the most visible example in what has become a relentless barrage. The latest Milestone follows a 7.3-terabits attack just two months earlier. It signals a dangerous trend. DDoS now runs on cloud scale infrastructure and that means defenses must be equally massive and instant automation, rate limiting and IP filtering are no longer optional. They're essential, but size isn't everything. As fastnet Mon points out, smaller, persistent or multi vector attacks can slip through defenses and still cause real damage. The real measure of success is whether users stayed online, APIs stayed responsive and businesses stayed functional, even under fire. This event isn't just a technical milestone. It highlights how attackers are escalating both the volume and frequency of attacks. Defenders now face the reality that DDoS isn't rare, it's relentless. WhatsApp has patched a sophisticated zero click vulnerability CVE202555177. It was used to install spyware on Apple devices with no user interaction. Victims didn't have to click a link or open a file. Simply receiving a malicious message could trigger the attack. Amnesty International Security Lab confirmed that the campaign ran for almost 90 days starting in late May, but targeted fewer than 200 people. Most were high profile or high risk individuals in civil society. Apple issued emergency iOS and macros patches alongside WhatsApp's updates. Now, it's important to remember that WhatsApp relies on the signal protocol, considered a gold standard in encrypted messaging. Each device holds its own private key, and only the recipient can decrypt incoming messages. But if attackers compromise the device itself, as in this case, that encryption might offer little protection. If any, they can access messages before they're encrypted and after they're decrypted. Although these attacks were highly targeted, that doesn't make them irrelevant to everyone else. That same zero click technique could be aimed at any specific target if the attackers see a payoff, whether that's a journalist, an activist, a business executive, or someone with access to valuable corporate systems. For high risk users, keeping devices patched and enabling Apple's lockdown mode might be crucial steps to consider. Encryption protects messages in transit, but it doesn't shield them once the device has decrypted them. Once attackers have that, the question isn't who they can target, but who they choose to target. If you've been thinking about smart devices and waiting for the big attack, well, it might have happened. Security researchers have uncovered Frostbite 10, a cluster of 10 critical vulnerabilities in Copeland, E2 and E3 refrigeration and H Vac controllers that could give attackers remote, unauthenticated access to systems that keep food supplies safe. These controllers are widely used by major grocery chains like Kroger, Albertsons and Whole Foods. Exploits could let attackers manipulate temperatures, disable lighting, deploy malicious firmware, or execute root level commands. The flaws include predictable admin passwords, unsigned firmware upgrades, privilege escalation, and the ability to plant rogue updates. A reminder that part of what makes this exploitation easier poor security practices, as ARM has put it. A significant contributing factor is the operational practice of using identical, easily guessed passwords, which dramatically lowered the bar for attackers. In response, Copeland has released firmware version 2.31 F01 to address the flaws and recommends migrating from the now end of life E2 platform to the newer E3. The US Cybersecurity and Infrastructure Security Agency is expected to issue further guidance. This Frostbite 10 attack shows how everyday smart devices can become attack vectors and how something as basic as password reuse can open the door to devastating real world consequences. We definitely need an improvement in IoT security, but not just with patches and updates. We need to have effective and not sloppy practices. And speaking of sloppy practices, Cisco Talas has uncovered over 1,100 Ollama servers exposed to the public Internet, raising serious concerns for organizations running AI models locally. Ollama is designed to let users run large language models on their own hardware, offering privacy, control and and performance without relying on the cloud when you run it. Ollama spins up a lightweight HTTP service on your machine. Applications can send requests to that service the same way they'd call a cloud API. But everything runs locally. In theory, running locally keeps sensitive data private. But when these servers are left unsecured, the result is just the opposite. Attackers can extract model data, inject poison updates, or hijacked compute resources. How big is the problem? Well, Cisco scans found more than 1,000 exposed endpoints in just minutes, with about 20% actively running models and accepting requests. Many were left open with no authentication, making them easy targets for misuse. Ironically, the very tool deployed to protect data and maintain control ends up leaking both when it isn't configured properly. Ollama's developers are now talking about a secure mode to enforce safer defaults, like binding to local networks and requiring authentication by default. But that's just talk right now. Until then, the lesson is clear. Self hosting AI brings power and privacy, but it also brings the same security responsibilities as running any other Internet facing service. A self described hacker coalition called the Scattered Lapsus Hunters has publicly demanded that Google fire two members of its threat intelligence team, Austin Larson and Charles Carmichael, or risk the leak of Google's allegedly stolen data. As the time we went to air, there's been no evidence of a successful breach that's been verified yet. The ultimatum was posted to Telegram claiming ties to groups included Scattered Spider, Lapsus and Shiny Hunters. These hacker groups, famous for their social engineering and their ability to get credentials to major systems, said Google should halt investigations into their activity. And that timing coincides with August's confirmed breach at Salesforce by Shiny Hunters, which affected multiple customers, including Google. But that incident occurred at a vendor, not in Google's own systems. And so far the hackers have shown no evidence that they breached Google. And that's an important part. There have been rumors that have circulated. We reported on one that Google asked to change 2.5 billion passwords. Google has since said they said no such thing. So there's a lot of misinformation in this area as well. Google. Google has not yet commented publicly, so the claim remains unverified. But as I've mentioned earlier, Scattered Spider Lapsus and Shiny Hunters should not be underestimated. They've managed to socially engineer access to some credentials on some major companies. Ignoring them outright would be reckless. So until proven Otherwise, these threats warrant some scrutiny and increased caution. It would be very wise to do some focus training, particularly of your support people on social engineering. Palo Alto Networks has confirmed that attackers using stolen OAuth tokens gained access to its Salesforce system and exposed customer contact information and internal support case content. The breach was limited to Salesforce. No Palo Alto Networks, products, systems or service were compromised. According to Palo Alto Networks. Their teams quickly revoked tokens, disabled the drift integration, rotated credentials and began notifying customers. Now, this is one of several downstream compromises tied to the sales loft Drift supply chain incident. Other victims have included Zscaler, Cloudflare, and even Google, which warned customers to consider all sales loft tokens compromised. OAuth integrations make life smoother, but when they break, they break hard and often far beyond where the original breach began. Careful token hygiene and continuous monitoring are essential safeguards in today's interconnected landscape. And that's our show for today. You can reach me with tips, comments, and even some constructive criticism at our site, technewsday.com or CA. Take your pick. I'm your host, Jim Love. Thanks for listening.