All news with #cloudflare tag

Sneaky2FA PhaaS Adds Browser-in-the-Browser Deception

🔒 Sneaky2FA has integrated a Browser-in-the-Browser (BitB) pop-up that impersonates Microsoft sign-in windows and adapts to the victim’s OS and browser. Used alongside its existing SVG-based and attacker-in-the-middle (AitM) proxying, the BitB layer renders a fake URL bar and loads a reverse-proxy Microsoft login to capture credentials and active session tokens, enabling access even when 2FA is active. The kit also employs heavy obfuscation and conditional loading to evade analysis.

Cloudflare Outage Highlights Risks of Single-Vendor Reliance

🔍 An intermittent outage at Cloudflare on Nov. 18 briefly disrupted many major websites and forced some customers to pivot DNS and routing to preserve availability. Those provisional workarounds may have exposed origin infrastructure by bypassing edge protections such as WAFs and bot management. Security teams should review OWASP-related logs, emergency DNS changes, and any ad hoc services or devices introduced during the outage. The incident underscores single-vendor risk and the need for formal fallback plans.

Cloudflare Outage Caused by Database Permission Change

⚠️ Cloudflare suffered its worst outage in six years after a database permissions change caused its Bot Management system to generate an oversized configuration feature file containing duplicate entries. The file exceeded a hardcoded 200-feature limit, triggering a Rust panic that crashed core proxy software and produced widespread 5xx errors. Engineers restored service by replacing the problematic file, and full recovery was achieved several hours later.

Sneaky 2FA Kit Adds BitB Pop-ups That Mimic Address Bar

🔒 Push Security says the Sneaky 2FA Phishing-as-a-Service kit now leverages Browser-in-the-Browser (BitB) pop-ups to impersonate Microsoft login pages and conceal malicious URLs. Victims first pass a Cloudflare Turnstile bot check before a fake "Sign in with Microsoft" flow is loaded in an embedded BitB window that exfiltrates credentials and session data. The campaign pairs conditional loading, developer‑tool blocking, obfuscation, and rapid domain rotation; organizations should tighten conditional access and users should avoid unknown links and browser extensions.

Cloudflare outage disrupts global network services

⚠️ Cloudflare is investigating an outage that has produced widespread 500 internal server errors and impacted its Dashboard and API, disrupting access to numerous customer websites and platforms. The company first reported support portal availability issues and then an incident at 11:48 UTC affecting the Cloudflare Global Network, with multiple European nodes observed offline. Downdetector logged tens of thousands of reports, and Cloudflare says it is working to mitigate the incident; partial recovery has been reported for Access and WARP while remediation continues for application services.

Cloudflare outage (18 Nov 2025): feature file duplication

⚠️ On 18 November 2025, Cloudflare experienced a major outage after a permissions change in a ClickHouse database caused duplicated metadata to be emitted into a Bot Management feature file, doubling its size. The oversized file exceeded a preallocated feature limit in the core proxy, triggering a Rust panic and widespread HTTP 5xx errors. Cloudflare halted propagation, restored a known-good file, and restarted the proxy; services were largely restored by 14:30 UTC and fully recovered by 17:06 UTC. The company apologized and pledged architectural and process hardening to prevent recurrence.

Aisuru Botnet Fires 15.72 Tbps DDoS at Microsoft Azure

⚠️ Microsoft reported that the Aisuru botnet launched a massive DDoS attack against a public Azure IP in Australia, peaking at 15.72 Tbps and nearly 3.64 billion packets per second. The traffic originated from over 500,000 IP addresses and consisted of extremely high-rate UDP floods with minimal source spoofing. Microsoft noted the bursts used random source ports, which aided traceback and provider enforcement. Azure's mitigations absorbed the attack without a reported widespread outage.

Replicate Joins Cloudflare to Expand AI Developer Platform

🧭 Cloudflare is bringing Replicate into its developer platform to integrate Replicate’s large model catalog and community with Cloudflare’s global, serverless inference stack. Existing Replicate APIs and workflows will continue to operate without interruption while benefitting from Cloudflare’s performance and reliability. Workers AI users will get immediate access to a greatly expanded catalog plus upcoming support for fine-tuning and custom models, enabled by Cog and unified control through Cloudflare’s AI Gateway.

SpearSpecter: APT42 Targets Defense and Government

🛡️ The Israel National Digital Agency (INDA) has attributed a new espionage campaign codenamed SpearSpecter to Iranian state‑aligned APT42, active since September 2025 against senior defense and government officials and their family members. Operators employ tailored social engineering—invites to conferences and impersonated WhatsApp contacts—to deliver a WebDAV‑served .LNK via the search‑ms: handler that retrieves a batch script and stages the TAMECAT PowerShell backdoor. TAMECAT uses HTTPS, Discord, and Telegram for command-and-control, supports modular data‑theft capabilities (browser and Outlook exfiltration, screenshots), and relies on Cloudflare Workers, LOLBins, in‑memory execution, and obfuscation to maintain persistent, stealthy access.

Finding Salt failures: blaming commits to speed releases

🔍 Cloudflare explains how they accelerated triage and reduced release delays for Salt-managed configuration changes across thousands of servers. They implemented a local job cache on minions to retain job results, built a Salt Blame execution module to correlate failed highstates with commits, releases and external outages, and automated hierarchical triage from chat. These changes removed repetitive SSH-and-log workflows, made root-cause attribution self-service for SREs, and yielded a measurable >5% reduction in time lost to Salt-related release delays while enabling ongoing analytics and feedback.

What CISOs Should Know About Securing MCP Servers Now

🔒 The Model Context Protocol (MCP) enables AI agents to connect to data sources, but early specifications lacked robust protections, leaving deployments exposed to prompt injection, token theft, and tool poisoning. Recent protocol updates — including OAuth, third‑party identity provider support, and an official MCP registry — plus vendor tooling from hyperscalers and startups have improved defenses. Still, authentication remains optional and gaps persist, so organizations should apply zero trust and least‑privilege controls, enforce strong secrets management and logging, and consider specialist MCP security solutions before production rollout.

Architecture of Remote Bindings for Local Worker Development

🚀 Cloudflare has made remote bindings generally available, letting local Workers connect to live resources such as R2 buckets, D1 and KV namespaces without deploying. Developers can enable a binding with "remote: true" in Wrangler v4.37.0 and use existing Wrangler OAuth credentials to access production data. The local workerd runtime proxies JS API calls to remote service bindings (including JSRPC via Cap’n Web websockets), and tooling like the Vite plugin and vitest-pool-workers can use utilities such as startRemoteProxySession to join remote sessions.

Cloudflare Introduces Python Workflows in Beta Release

🐍 Cloudflare has announced Python Workflows in beta, enabling developers to orchestrate multi-step, durable applications on Workers using Python. The feature aims for feature parity with the existing JavaScript SDK while adapting APIs to Pythonic idioms—using decorators for step callbacks and snake_case naming for method calls. Under the hood it leverages Pyodide and CPython in the runtime, exposes WorkflowStep as an RPC-backed JsProxy for at-most-once durable execution, and supports DAG-style concurrency via asyncio.gather. Targeted use cases include data pipelines, ML/LLM training loops, and autonomous agents where step-level retries, state persistence, and explicit wait points simplify orchestration.

Cloudflare Launches Self-Serve BYOIP API with RPKI

🔐 Cloudflare unveiled a self‑serve BYOIP API enabling customers to onboard and manage their own IP prefixes via automated workflows. The new flow replaces manual LOA reviews with a two-step validation that uses RPKI ROAs plus either IRR route-object modification or a reverse DNS validation token. Cloudflare will auto-generate LOA-style documentation for operators that still require it and enforces a default service binding to prevent accidental prefix blackholing. The initial rollout supports prefixes originated from AS13335 and is designed to shorten deployment timelines while strengthening routing security.

Cloudflare Stream Adds Audio Extraction for Video Files

🎧 Cloudflare Stream now lets developers extract audio-only M4A tracks from videos with a single API call or dashboard action. Use Media Transformations (mode=audio) for on-the-fly clipping or create persistent audio downloads for VOD-managed content. This reduces bandwidth, cost, and complexity for transcription, translation, moderation, and other audio-first AI workflows.

Cloudflare Open-Sources tokio-quiche: Async QUIC for Tokio

🚀 Cloudflare has open-sourced tokio-quiche, an async QUIC library that combines its quiche transport implementation with the Tokio async runtime. The project provides a battle-tested integration for async UDP I/O and HTTP/3, delivering low-latency, high-throughput handling of millions of requests per second without requiring developers to wire a sans-io stack. tokio-quiche includes an HTTP/3-focused driver, examples, and abstractions such as ApplicationOverQuic so teams can build clients and servers more quickly. It already powers Cloudflare Proxy B in Apple iCloud Private Relay, Oxy-based proxies, and Warp’s MASQUE client, and aims to accelerate broader adoption of HTTP/3 and QUIC.

Cloudflare Removes Aisuru Botnet Domains from Rankings

🛡️ Cloudflare has begun redacting and hiding domains tied to the rapidly growing Aisuru botnet after those malicious hostnames repeatedly appeared atop its public domain rankings. The botnet — comprised of hundreds of thousands of compromised IoT devices — recently shifted from querying 8.8.8.8 to 1.1.1.1, flooding Cloudflare’s resolver and skewing popularity metrics. Cloudflare says attackers are likely both manipulating rankings and mounting attacks on its DNS service, and the company is refining its ranking algorithm while removing known malicious entries.

Cloudflare Workers VPC Services Enter Open Beta Today

🌐 Cloudflare announced the open beta of Workers VPC Services, enabling Workers to securely reach APIs, containers, VMs, serverless functions and databases inside regional private networks via Cloudflare Tunnels. Developers register services by hostname or IP and bind them to Workers, with access verified at deploy time to restrict Workers to only the declared service. The model reduces cloud lock‑in, mitigates SSRF risk, and is available free during the beta.

Cloudflare Introduces Isolated Testing for Workflows

🧪 Cloudflare has added local, isolated testing APIs for Workflows, enabling developers to introspect and mock workflow instances using the new cloudflare:test module. Available with @cloudflare/vitest-pool-workers v0.9.0+, the APIs (introspectWorkflowInstance and introspectWorkflow) let tests run offline inside the Workers runtime, mock step results and events, and preserve isolated storage for reliable, deterministic tests. This improves debug visibility, reduces flaky tests, and lets teams assert on intermediate steps without hitting external systems.

Cloudflare analysis confirms Turkmenistan IP changes

🔍 Cloudflare researchers revisited historic telemetry to assess reports that Turkmenistan experienced an unprecedented easing of IP address blocking in mid‑2024 and may have been testing a new firewall. Using Radar metrics, they observed a clear surge in HTTP requests beginning in mid‑June, alongside shifts in TCP reset and timeout patterns. These connection anomalies manifested at different stages of the TCP lifecycle across multiple autonomous systems, and while the data cannot provide attribution, the observed patterns are consistent with large‑scale filtering or firewall testing.