Podcast Summary: Cybersecurity Today
Episode: Cloudflare Fends Off A Record Breaking 11.5 Tbps DDoS Attack
Host: Jim Love
Date: September 4, 2025
Episode Overview
This episode delivers a rapid-fire update on major cybersecurity incidents targeting organizations, infrastructure, and users worldwide. Host Jim Love covers Cloudflare’s defense against a record-setting DDoS attack, a WhatsApp zero-click exploit hitting Apple users, critical vulnerabilities in supermarket refrigeration systems, a mass leak of Ollama AI servers, cybercriminal ultimatums against Google, and Palo Alto Networks’ OAuth fallout. The discussion highlights the escalating scale and frequency of attacks, the dangers of misconfigurations, and the urgent need for updated security practices.
Key Discussion Points & Insights
1. Cloudflare Repels Largest Ever DDoS Attack
-
Details of the Attack
- Cloudflare fended off an unprecedented Distributed Denial-of-Service (DDoS) attack peaking at 11.5 Tbps (00:04).
- Attack lasted 35 seconds, described as "a tsunami of traffic hitting the Internet" (00:12).
- Initial suspicion pointed to Google Cloud, but it was later confirmed the source was a blend of compromised IoT devices and multiple cloud providers (00:23).
- The event is not isolated: Cloudflare reports this summer saw a "record number of DDoS attempts," marking a trend toward relentless, large-scale attacks (00:37).
- The 11.5 Tbps incident follows a previous 7.3 Tbps attack, indicating quickly increasing magnitudes (00:44).
-
Implications for Defenders
- Attackers now harness public cloud infrastructure for massive, rapid attacks.
- Defensive measures such as automation, rate limiting, and IP filtering are proclaimed "essential" rather than optional (00:51).
- Not all damaging attacks are large: persistent, multi-vector, or "smaller" DDoS efforts can still disrupt services (00:58).
- The main measure of resilience is service uptime: “The real measure of success is whether users stayed online, APIs stayed responsive and businesses stayed functional, even under fire.” (Jim Love, 01:03)
- The shift: DDoS attacks "aren’t rare, they’re relentless." (01:14)
2. WhatsApp 0-Click Exploit Targeting Apple Users
-
Exploit Details
- CVE-2025-55177: Allowed remote spyware installation with no user action required (01:20).
- Simply receiving a malicious WhatsApp message triggered the attack (01:27).
- Used over ~90 days, targeting fewer than 200 high-profile civil society individuals (01:33).
-
Security Response & Takeaways
- WhatsApp and Apple released rapid patches; emergency iOS and macOS updates were issued (01:40).
- WhatsApp uses the signal protocol, a gold standard in encryption, but device compromise overrides encryption at the device level:
“If attackers compromise the device itself… they can access messages before they're encrypted and after they're decrypted.” (Jim Love, 01:48)
- Highly targeted but broadly relevant: techniques could be repurposed for corporate executives or anyone with valuable access.
- Defensive recommendations: Keep devices fully patched and consider Apple’s Lockdown Mode if at risk (01:58).
3. Frostbite 10 Vulnerabilities in Refrigeration and HVAC Controllers
-
Critical Infrastructure at Risk
- Ten severe vulnerabilities (“Frostbite 10”) found in Copeland E2 and E3 controllers, present in major grocery chains (02:10).
- Exploitable for remote, unauthenticated access—could let attackers change temperatures, disable systems, or install malicious updates (02:16).
- Many flaws exploited due to default passwords and unsigned firmware upgrades.
“A significant contributing factor is the operational practice of using identical, easily guessed passwords…” (Jim Love quoting ARM, 02:30)
- Copeland issued a firmware patch (version 2.31 F01); recommends immediate migration from outdated E2 (02:36).
- US CISA expected to issue guidance (02:39).
-
Broader Lessons
- The attack demonstrates everyday IoT devices, when neglected, can threaten real-world infrastructure and supply chains (02:44).
- Emphasizes importance of strong password hygiene and operational discipline, beyond just patching (02:52).
4. Ollama AI Server Leak: Local Isn’t Always Private
-
AI Self-Hosting Gone Wrong
- Cisco Talos found over 1,100 publicly exposed Ollama servers, used for running local LLMs (03:04).
- Many endpoints open with no authentication, risking theft, poisoning, and resource hijacking (03:09).
“Ironically, the very tool deployed to protect data and maintain control ends up leaking both when it isn't configured properly.” (Jim Love, 03:18)
-
Technical Details
- Ollama servers spin up a local HTTP service, accepting API requests.
- At least 20% of discovered servers were actively running models (03:13).
- Developers planning a “secure mode” (restricts to local network, enforces auth) but not yet issued (03:24).
-
Key Takeaway
- Self-hosting AI gives power and privacy, but brings the same security requirements as any Internet-facing service:
“Self-hosting AI brings power and privacy, but it also brings … the same security responsibilities…” (03:29)
- Self-hosting AI gives power and privacy, but brings the same security requirements as any Internet-facing service:
5. Hackers Issue Ultimatum to Google
-
Threats, Claims & Verification
- A group called “Scattered Lapsus Hunters” demanded Google fire two threat intelligence members, or risk leaked data (03:35).
- The Telegram post claimed affiliations with several infamous groups (Scattered Spider, Lapsus, Shiny Hunters) (03:41).
- Claims timed with a confirmed Salesforce vendor breach affecting Google, but no verified evidence Google itself was compromised (03:48).
“So far the hackers have shown no evidence that they breached Google. And that's an important part.” (Jim Love, 03:53)
-
Rumor Management
- Responds to online rumors (for example, that Google allegedly asked users to change 2.5 billion passwords—Google denied this) (03:56).
- Stresses vigilance:
“Scattered Spider, Lapsus, and Shiny Hunters should not be underestimated… Ignoring them outright would be reckless.” (Jim Love, 04:02)
- Suggests increased social engineering training for support staff.
6. Palo Alto Networks and OAuth Fallout
-
Incident Overview
- Attackers used stolen OAuth tokens to access Palo Alto's Salesforce system, exposing customer contact info and support case content (04:16).
- Breach was strictly limited to Salesforce; no evidence other systems or products were affected (04:21).
- Response: Revoked tokens, disabled integrations, rotated credentials, notified customers (04:23).
-
Supply Chain Scope
- Incident part of wider Drift/Salesloft supply chain compromise impacting other tech giants (Zscaler, Cloudflare, Google) (04:28).
- Warnings for organizations: Treat all tokens from affected suppliers as compromised.
-
Lessons on OAuth
- OAuth integrations “make life smoother,” but breaches can cascade widely:
“When they break, they break hard and often far beyond where the original breach began.” (Jim Love, 04:35)
- Emphasizes token hygiene and continual monitoring as critical defenses.
- OAuth integrations “make life smoother,” but breaches can cascade widely:
Notable Quotes & Moments
-
On the scale of modern DDoS:
“A tsunami of traffic hitting the Internet for just 35 seconds. Thank heaven those precious seconds were enough to bring most defenses to their knees.” (Jim Love, 00:13)
-
On IoT security lapses:
“Part of what makes this exploitation easier—poor security practices, as ARM has put it. A significant contributing factor is the operational practice of using identical, easily guessed passwords.” (Jim Love quoting ARM, 02:30)
-
On social engineering threats:
“Ignoring them outright would be reckless. So until proven otherwise, these threats warrant some scrutiny and increased caution.” (Jim Love, 04:06)
-
On OAuth breaches:
“OAuth integrations make life smoother, but when they break, they break hard and often far beyond where the original breach began.” (Jim Love, 04:35)
Timestamps for Key Segments
- Cloudflare’s DDoS Defense: 00:04–01:15
- WhatsApp Zero-Click Attack: 01:20–02:06
- Frostbite 10 Vulnerabilities: 02:10–02:55
- Ollama Server Leaks: 03:04–03:30
- Google Hacker Ultimatum: 03:35–04:13
- Palo Alto OAuth Fallout: 04:16–04:41
Final Takeaways
Jim Love summarizes a week of mounting threats and emerging vulnerabilities, stressing that cybersecurity is a moving target. Enduring lessons include the need for robust automation, improved operational hygiene, vigilance against social engineering, responsible AI hosting, and strong supply chain monitoring.
As DDoS attacks reach Internet-breaking scale and attackers increasingly leverage cloud infrastructure, the security baseline for organizations must keep pace—or risk being left behind.
