Infosec News

cyclone

Nation-State Hackers Breach F5 Networks

F5 Breach Graphic

Summary
F5 Networks has confirmed a major security breach in which a nation-state-linked actor gained unauthorized access to internal systems and exfiltrated portions of BIG-IP source code and information on undisclosed vulnerabilities.
The intrusion is believed to have persisted for roughly 12 months before discovery.

The company detected the incident on August 9, 2025, and delayed public disclosure at the request of the U.S. Department of Justice.
There is no indication that CRM, financial, support, or iHealth systems were accessed, although some customer configuration files were included in the stolen data.

Technical and Attribution Details

The attack is attributed to a Chinese cyber-espionage group tracked as UNC5221.
The group deployed a custom backdoor named BRICKSTORM, previously used in intrusions against SaaS and BPO providers.
The compromise targeted F5’s development environment, giving access to internal vulnerability data and code repositories.
F5 brought in Mandiant and CrowdStrike for incident response, rotated all signing keys and credentials, and added additional security controls.

Government Response
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 26-01, requiring all federal agencies to:

Inventory all F5 BIG-IP, F5OS, BIG-IQ, and APM systems.
Verify that management interfaces are not exposed to the internet.
Apply vendor patches no later than October 22, 2025.
Submit compliance reports to CISA by October 29, 2025.

CISA stated that the stolen source code and vulnerability information provide adversaries with a technical advantage for developing zero-day exploits.

CVEs and Patch References
Key vulnerabilities disclosed following the breach include:

CVE-2025-53868 – BIG-IP SCP/SFTP privilege escalation (CVSS 8.7)
CVE-2025-61955 – F5OS command injection, appliance mode (CVSS 8.8)
CVE-2025-57780 – F5OS arbitrary code execution, appliance mode (CVSS 8.8)

Administrators should immediately apply the latest firmware and software updates for BIG-IP, F5OS, BIG-IQ, APM, and BIG-IP Next (Kubernetes).

Recommended Actions:

Patch all F5 systems immediately.
Remove or restrict public access to management interfaces.
Audit and retire end-of-life or unsupported devices.
Monitor for anomalous configuration changes or new admin accounts.
Treat F5 perimeter devices as high-risk until verified patched and hardened.

Sources:

cyclone

Major Amazon Web Services (AWS) Outage

AWS is currently experiencing a major outage in the US-EAST-1 region, impacting dozens of core services and many third-party platforms.

Status: Degraded performance and elevated error rates across multiple services.
Root Cause (according to AWS): Internal subsystem failure tied to the monitoring of network load balancers and EC2 internal networking.

Origin & propagation: Issues began around 3:11 a.m. ET in US-EAST-1, and have cascaded globally for services dependent on that region.

Affected AWS Services (partial list):
Core compute/storage/database services including EC2, S3, RDS, Lambda, CloudWatch, CloudFront, DynamoDB, SQS, SNS, ECS, EKS, Glue, Redshift, SageMaker, Cognito, Connect, VPC services, Step Functions, Secrets Manager, and more.
AWS lists around 90 services impacted.

Third-Party Services / Platforms Impacted:
Major consumer/enterprise platforms reported disruptions: games like Fortnite, Roblox; apps like Snapchat, Venmo; smart home devices (Ring, Alexa); banks and financial apps; many SaaS services relying on AWS infrastructure.

What this means for you:

If you rely on AWS in US-EAST-1, expect slower API responses, partial failures, or launch errors (especially for new EC2 instances).
If you rely on third-party services (SaaS, gaming, streaming, banking), you may see outages despite those services not being your direct provider.

Sources:

AWS Status Page: https://health.aws.amazon.com/health/status
Downdetector Report: https://downdetector.com/status/aws-amazon-web-services/
Tom's Guide: https://www.tomsguide.com/news/live/amazon-outage-october-2025
Reuters: https://www.reuters.com/business/retail-consumer/amazons-cloud-unit-reports-outage-several-websites-down-2025-10-20/

cyclone

Xubuntu.org Compromised - Torrent Downloads Served Windows Malware

Over the weekend (October 18–19, 2025), the official Xubuntu website (xubuntu.org) was compromised. Attackers managed to inject a malicious download link into the torrent section of the downloads page. A similar attack also happened in September 2025 where attackers injected malicious javascript into non-English language pages of the site.

What Happened

The legitimate .torrent link was replaced with a ZIP archive:

xubuntu-safe-download.zip

Which contained files:

TestCompany.SafeDownloader.exe
terms-of-service.txt

The EXE impersonated a “Xubuntu - Safe Downloader” GUI installer.
On execution, it installed itself to:

%AppData%\Roaming

and added a Windows registry key for persistence at startup.

Malware Behavior

The EXE was identified as a Crypto Clipper Trojan, flagged by 26/72 vendors on VirusTotal.

Behavior:

Monitors the clipboard for cryptocurrency wallet addresses (BTC, ETH, LTC, etc.).
Replaces copied wallet addresses with attacker-controlled ones.
Windows-only payload. It targets Windows users downloading from Xubuntu.org.
No confirmed reports of cryptocurrency theft at the time of this writing.

Technical Context

The malicious file was hosted within a WordPress uploads path "/wp-content/uploads/", suggesting the compromise occurred via a vulnerable plugin or outdated component.

A similar minor incident in September 2025 served malvertising on the same domain, implying the attackers retained access.

The Xubuntu team has disabled the affected download page and announced a migration to a static-site architecture to prevent further injection or file tampering.

What Was Not Affected

Direct ISO images and checksums hosted on Canonical’s official mirror (cdimage.ubuntu.com) were not compromised.

Only the torrent download link from the Xubuntu.org domain was affected.

Recommendations

If you downloaded Xubuntu via torrent from Xubuntu.org between October 18–19, 2025:

Delete xubuntu-safe-download.zip immediately.
Scan your Windows system for malware or autorun persistence keys.
Rotate cryptocurrency wallets and reset all associated credentials.
Verify all future downloads against SHA256/PGP checksums provided on Canonical mirrors.

Sources:

cyclone

Recap of Record Setting Hyper-Volumetric DDoS Attacks in 2025 (CloudFlare)

Overview:
Recent months have seen a dramatic escalation in Distributed Denial-of-Service (DDoS) attacks, both in volume and packet rate. Two ultra-high-volume events stand out: a 7.3 Tbps / 4.8 Bpps attack on May 15 2025, and a later and eye watering 11.5 Tbps / 5.1 Bpps assault on September 3 2025, both successfully mitigated by Cloudflare.

Key Details:

The 7.3 Tbps attack targeted an unnamed hosting provider in mid-2025 and delivered roughly 37.4 TB of data in ~45 seconds.

The 11.5 Tbps event occurred in September 2025, lasted about 35 seconds, and was primarily a UDP flood. Sources included cloud providers and massive IoT botnets.

These attacks reflect a trend: “hyper-volumetric” DDoS defined as >1 Tbps or >1 Bpps are now occurring at disproportionately high rates.

Final Thoughts:

The sheer rate and short duration (under a minute) make detection and response challenging.
Attackers are increasingly deploying multi-vector strategies and exploiting large botnets of compromised IoT/cloud devices.
These record-breaking DDoS events signal that we’ve entered a new era of scale in DDoS attacks. The days of only mitigating sub-100 Gbps events are behind us - now it’s multi-Tbps and packet rates in the billions.

Sources:

cyclone

Qilin Ransomware Using WSL to Deploy Encryptors on Windows

The Qilin ransomware group (formerly “Agenda”) has started abusing Windows Subsystem for Linux (WSL) to execute Linux ELF encryptors directly inside Windows environments, a move designed to evade EDR and antivirus detection.

Behavior:

Threat actors gain access to a Windows host, then install or enable WSL via command-line tools or scripts.
They transfer a Linux encryptor (ELF binary) using WinSCP and launch it through remote management tools like Splashtop (SRManager.exe).
Since most Windows EDRs focus on PE-based behaviors, activity inside the WSL environment goes largely undetected.

Tactics:

BYOVD attacks using vulnerable drivers (e.g. eskle.sys, rwdrv.sys, hlpdrv.sys) to disable security tools.
Use of AnyDesk, ScreenConnect, Splashtop for persistence and remote access.
DLL sideloading, dark-kill, and HRSword to remove traces or disable defenses.
Manual inspection of files using Paint and Notepad before exfiltration.

Scale:

Over 700 confirmed victims across 62 countries in 2025.
Roughly 40 new victims/month during the second half of the year.
Focus on hybrid Windows–Linux infrastructures, including VMware ESXi environments.

Sources:

cyclone

Rust CVE-2025-62518 - Critical RCE Vulnerability "TARmageddon" in Rust tar Libraries

A new high-severity vulnerability (CVE-2025-62518, “TARmageddon”) has been disclosed in several Rust async tar libraries: async-tar, tokio-tar, and their forks.

The flaw is a boundary-parsing desynchronization in TAR header handling.
When archives contain PAX-extended headers that override the file size, the vulnerable parser incorrectly trusts the ustar size (often zero) to advance the read position. This misaligns the stream, letting hidden nested TAR data be treated as legitimate entries.

This enables archive smuggling where attackers can insert extra files that overwrite configs or inject malicious build files. This can lead to remote code execution or supply-chain compromise when untrusted TARs are processed.

Note: this is not a memory safety vulnerability in Rust (which is inherintly memory safe), but a logic vulnerability in the code.

Impacted Ecosystem

Directly vulnerable crates: async-tar, tokio-tar, krata-tokio-tar, astral-tokio-tar (<0.5.6)

Affected downstreams include:

uv (Astral’s Python package manager)
testcontainers
wasmCloud, binstalk-downloader, and others

Attack Scenarios

Python package RCE - malicious PyPI tarballs overwrite pyproject.toml.
Container poisoning - crafted layers inject or overwrite files during unpack.
BOM bypass - scanners approve the clean outer archive; hidden inner files slip through during extraction.

Sources:

cyclone

Operation Endgame Takes Down Rhadamanthys, VenomRAT, and Elysium

Law enforcement has delivered another heavy blow to the cybercrime ecosystem. In the latest phase of Operation Endgame, agencies from nine countries coordinated a large-scale takedown targeting Rhadamanthys, VenomRAT, and Elysium malware infrastructure.

Between November 10 and 14, 2025, Europol and Eurojust led joint raids across Germany, Greece, and the Netherlands, seizing 20 domains and over 1,000 servers. A key VenomRAT suspect was also arrested in Greece on November 3.

According to Europol, the dismantled networks consisted of hundreds of thousands of infected systems and several million stolen credentials. Investigators also linked the primary Rhadamanthys operator to more than 100,000 compromised crypto wallets potentially worth millions of euros.

Lumen’s Black Lotus Labs reported that Rhadamanthys activity surged through late 2025, with over 500 active C2 servers and daily infections averaging 4,000 new IPs. More than 60 percent of its infrastructure was undetected on VirusTotal, making it one of the stealthier info-stealer networks active this year.

Europol suggests users verify possible compromise via politie.nl/checkyourhack and haveibeenpwned.com.

Operation Endgame has now disrupted numerous major threats, including IcedID, Bumblebee, Trickbot, SystemBC, and DanaBot. The cooperation between international law enforcement and private partners such as Shadowserver, CrowdStrike, Proofpoint, and Bitdefender continues to prove effective at dismantling large-scale criminal infrastructure.

Takeaway:
This action shows that even mature, well-distributed malware-as-a-service networks can be crippled when global coordination works. Expect the void left by Rhadamanthys and VenomRAT to be filled soon, likely by new variants or rebranded operations. Stay vigilant and monitor for related activity.

Sources:

cyclone

Go(lang) Turns 16

Go turned 16 this month, celebrating another milestone for one of the most influential languages in modern infrastructure. Originally built for simplicity and speed, Go now powers critical systems at companies like Google, Cloudflare, Uber, Dropbox, Stripe, Netflix, plus thousands of others.

Recent releases delivered major upgrades: Go 1.24 introduced traversal-safe filesystem APIs and a redesigned high-performance map implementation, while Go 1.25 added container-aware scheduling and the new Green Tea garbage collector, cutting GC overhead by 10-40% and paving the way for AVX-512 acceleration in Go 1.26. With stronger native cryptography (CAVP-certified), improved concurrency testing via testing/synctest, and expanding adoption across AI, cloud, and security tooling, Go’s 16th year cements it as a performant, memory safe, and production-ready foundation for the next generation of scalable systems.

Sources:

cyclone

Cloudflare Outage Summary - 18 Nov 2025

On 18 November 2025 at 11:20 UTC, Cloudflare experienced a widespread outage that disrupted core CDN, security, and authentication services globally. While initially suspected to be a large-scale DDoS, the root cause was a malformed Bot Management feature file propagated across the edge.

Root Cause

A permissions change applied to a ClickHouse cluster at 11:05 UTC caused a metadata query used by Bot Management to return duplicate feature rows.
This doubled the size of the ML feature file, exceeding a 200-feature limit within Cloudflare’s proxy engines (FL + FL2).
When the oversized file propagated, proxies panicked and began returning HTTP 5xx errors for any request touching the bots module.

Because ClickHouse nodes were being updated gradually, the system oscillated between “good” and “bad” configuration states every five minutes, heavily complicating diagnosis.

Impact

CDN & Security: Widespread 5xxs, increased latency.
Turnstile: Unavailable, breaking login flows.
Workers KV: Heavy 5xx rates until bypassed at 13:05.
Access: Auth failures for most users.
Dashboard: Mostly up, but logins failed due to Turnstile + KV issues.
Email Security: Minor degradation in spam detection accuracy, no critical impact.

Customers on the older FL proxy saw bot scores drop to zero, causing massive false positives for bot-blocking rules. FL2 customers saw outright 5xx errors.

Timeline (Key Events)

11:05 - ClickHouse permission change deployed.
11:20–11:28 - First propagation, core traffic starts failing.
13:05 - Workers KV + Access bypass reduces blast radius.
14:24 - Bad feature file generation halted; good file prepared.
14:30 - Global rollout of known-good file; major recovery begins.
17:06 - All services fully restored.

Why This Was So Severe

Feature files update every few minutes globally.
The malformed file exceeded a hard-coded runtime limit, causing unhandled panics.
Debugging systems increased CPU load during the failure, amplifying latency.
The recursive “good/bad” cycle produced misleading signals resembling an active attack.

Remediation Steps (In Progress)

Harden validation of internal configuration files.
Add global kill switches for rapid feature disablement.
Prevent debugging/observability systems from burning excessive CPU during faults.
Review failure modes across all proxy modules.

Summary

This was Cloudflare’s most serious outage since 2019 - not caused by malicious activity, but by an internal consistency failure in configuration generation. A single database permission change cascaded into a global edge failure due to assumptions in legacy code and missing safeguards.

Cloudflare has acknowledged the severity and is implementing systemic fixes to prevent feature-file-induced outages in the future.

Source:

https://blog.cloudflare.com/18-november-2025-outage/

cyclone

Fortinet: FortiWeb Actively Exploited (again)

Fortinet has issued an alert for CVE-2025-58034, a command injection bug in FortiWeb (CVSS 6.7) that is being weaponized. The flaw is an OS command injection issue in FortiWeb’s HTTP and CLI handling that allows arbitrary code execution, but only after an attacker has authenticated by some other method.

Patches are available for all affected branches:

• 8.0.0 to 8.0.1 → update to 8.0.2
• 7.6.0 to 7.6.5 → update to 7.6.6
• 7.4.0 to 7.4.10 → update to 7.4.11
• 7.2.0 to 7.2.11 → update to 7.2.12
• 7.0.0 to 7.0.11 → update to 7.0.12

Reported by Trend Micro’s Jason McFadyen, the flaw is already under active exploitation, prompting CISA to add it to the Known Exploited Vulnerabilities catalog with a federal patch deadline of November 25, 2025.

Exploit chain activity:
The situation escalates when paired with CVE-2025-64446, an authentication bypass silently patched by Fortinet in 8.0.2. According to Orange Cyberdefense and Rapid7, attackers are chaining the two bugs: bypassing authentication via CVE-2025-64446, then leveraging CVE-2025-58034 for command execution. This converts an authenticated-only issue into full unauthenticated RCE against unpatched appliances.

Industry concern:
Security teams have raised concerns about Fortinet’s decision to patch these flaws before publishing advisories. Analysts note that silent patching provides attackers with a window of advantage and leaves defenders unaware of what they're exposed to until exploitation is already underway.

Action required:
Apply the fixed releases immediately and audit FortiWeb instances for suspicious authenticated activity or anomalous command execution attempts, especially if systems were running vulnerable versions prior to Fortinet’s disclosure.

Source:

hashpwn

Infosec News

What Happened

Malware Behavior

Technical Context

What Was Not Affected

Recommendations

Root Cause

Impact

Timeline (Key Events)

Why This Was So Severe

Remediation Steps (In Progress)

Summary

Who's Online [Full List]

Board Statistics