All news with #cloudflare tag

📣 Cloudflare’s 2025 Founders’ Letter reflects on 15 years of Internet change, highlighting encryption’s rise thanks in part to Universal SSL, slow IPv6 adoption, and the rising costs of scarce IPv4 space. It warns that AI answer engines are shifting value away from traffic-based business models and threatening publishers. Cloudflare previews tools and partnerships — including AI Crawl Control — to help creators control access and negotiate compensation.

🔐 Cloudflare explains that post-quantum cryptography (PQC) protects communications against future quantum computers and does not require specialized quantum hardware. PQC runs today on existing phones, servers, and network infrastructure, can scale at Internet level, and in many cases matches or exceeds classical performance. The post argues that quantum technologies like QKD and QRNG are interesting scientific tools but are neither necessary nor sufficient for broad post-quantum security; organizations should prioritize cryptographic agility and migration to PQC.

🔒 Cloudflare now lets administrators route traffic to a Cloudflare Tunnel by hostname or domain, removing the need to track changing IP addresses. By binding hostnames or wildcard domains to tunnels and writing Access or Gateway policies, teams can enforce per-resource zero-trust rules and secure egress without touching IP lists. Gateway uses synthetic initial IPs to tag hostname intent at Layer 4, map traffic back to private IPs, and forward it through the correct tunnel.

🔍 Cloudflare is upgrading its real user monitoring (RUM) suite by enabling Web Analytics for free domains by default on October 15, 2025 (EU/UK traffic excluded by default). A lightweight JavaScript beacon will collect aggregated client-side metrics—Core Web Vitals, resource timings and client-observed TLS durations—and pre-process data at the edge to remove personal identifiers before aggregation. The company emphasizes a privacy-first approach with no cookies, no localStorage, and no fingerprinting, and plans to correlate client metrics with in-network and origin telemetry to provide actionable debugging insights while preserving user privacy.

🔒 Microsoft and Cloudflare coordinated a disruption of the RaccoonO365 Phishing-as-a-Service operation in early September 2025, seizing 338 malicious websites and Cloudflare Worker accounts. The service is linked to at least 5,000 stolen Microsoft 365 credentials from 94 countries since July 2024 and was used in large campaigns, including a tax-themed sweep that targeted over 2,300 U.S. organizations. Kits bundled CAPTCHA and anti-bot evasion, were sold via a private Telegram channel, and investigators identified a suspected leader, prompting a criminal referral.

🔒 Microsoft and Cloudflare executed a coordinated takedown of RaccoonO365, a Nigerian-run phishing-as-a-service platform tracked by Microsoft as Storm-2246. The joint effort seized 338 domains and dismantled infrastructure that reportedly generated hundreds of millions of malicious messages and could bypass some MFA protections. Cloudflare removed intermediary Cloudflare Workers shields and deployed phish warning pages, while Microsoft pursued legal action and criminal referrals. The disruption exposed risks to healthcare providers and highlighted cross-border enforcement limits.

🔒 Microsoft and Cloudflare coordinated a court-ordered disruption that seized 338 domains used by RaccoonO365, a phishing-as-a-service accused of harvesting over 5,000 Microsoft 365 credentials across 94 countries since July 2024. The takedown, executed between September 2–8, 2025, removed malicious Workers scripts, placed interstitial phish warnings, and suspended accounts to cut criminal access. RaccoonO365 was marketed by subscription and used legitimate services like Cloudflare Turnstile and Workers to harden phishing pages and evade detection.

🔗 Cloudflare announced an integration between the Cloudflare One SASE platform and CrowdStrike Falcon Fusion SOAR, delivering two out‑of‑the‑box connectors for Zero Trust and Email Security. The prebuilt actions exposed in the CrowdStrike Content Library automate common tasks—searching messages, updating allow/block lists, adjusting access policies, and revoking tokens—to reduce manual investigation and accelerate remediation. Customers can chain Cloudflare actions with Falcon Fusion playbooks via a drag‑and‑drop editor to enable bidirectional containment across network, email, and endpoints. The integration supports Logpush to CrowdStrike HTTP ingest and can be enabled from both vendor consoles, with APIs and custom playbooks available for tailoring workflows.

⚠️ A bug in a dashboard React useEffect dependency caused an object to be recreated on every render, triggering repeated calls to the Tenant Service /organizations endpoint. Those excessive requests coincided with a Tenant Service deployment, overwhelming the service and breaking API authorization checks so many API requests returned 5xx errors and the Cloudflare dashboard became unavailable. Cloudflare mitigated the incident by scaling pods, applying a global rate limit, reverting a problematic patch, and applying a dashboard hotfix. They plan to prioritize Argo Rollouts for safer deployments, add randomized retry delays, increase Tenant Service capacity, and improve observability.

🔐 Okta has uncovered VoidProxy, a phishing-as-a-service operation that uses Adversary-in-the-Middle techniques to harvest Microsoft and Google credentials, MFA codes, and session tokens. The platform leverages compromised ESP accounts, URL shorteners, multiple redirects, Cloudflare Captcha and Cloudflare Workers to evade detection and hide infrastructure. Victims who enter credentials are proxied through an AitM server that captures session cookies and MFA responses, enabling account takeover. Okta recommends passkeys, security keys, device management, and session binding to mitigate the threat.

⚠️ Researchers have exposed a Salty2FA phishing kit that applies enterprise-grade tactics to harvest credentials and bypass detection. The campaign uses session-based subdomain rotation, abuse of legitimate platforms for staging, and corporate-branded login replicas to increase believability. Operators integrate Cloudflare Turnstile and obfuscated, XOR-encrypted JavaScript to block automated analysis and frustrate forensic inspection. Targets include healthcare, finance, technology, energy and automotive sectors, underscoring the need for updated defenses beyond traditional indicators.

🔐 A newly uncovered phishing campaign uses the Salty2FA phishing‑as‑a‑service kit to bypass multi‑factor authentication by intercepting verification methods, rotating unique subdomains and hiding behind Cloudflare Turnstile gates that filter automated analysis. Ontinue found the kit simulates SMS, authenticator apps, push prompts and hardware tokens while dynamically applying corporate branding to match victims' email domains. Industry experts characterize this as a more mature, evasive form of phishing and recommend phishing‑resistant authentication, runtime inspection and continuous user training.

🚀 Cloudflare has added support for the node:http client and server APIs in Workers, enabling developers to deploy existing Node.js HTTP applications at the edge with minimal code changes. This change makes frameworks like Express and Koa runnable on Workers with zero cold starts, automatic scaling, and reduced latency for global users. The client APIs are implemented on top of Workers' native fetch(), and server integration uses an internal bridge that registers listen(port) rather than binding TCP sockets. Some Node-specific features remain limited or unsupported (the Agent is effectively a no-op; trailers, early hints, 1xx responses, and TLS-specific options are not available).

🔒 Palo Alto Networks, Zscaler and Cloudflare disclosed a supply-chain breach traced to the Salesloft Drift integration with Salesforce. The compromise exposed business contact information, account/contact/case/opportunity records and, in some instances, OAuth tokens and plaintext support-case content; attachments and files were reportedly not affected. Palo Alto's Unit 42 observed active searches of exfiltrated data and deletion of queries consistent with anti-forensics. Vendors are advising immediate token revocation, credential rotation and comprehensive review of Salesforce logs and SOQL query history.

🔒 Cloudflare reported that Fina CA issued twelve unauthorized TLS certificates for the public DNS IP 1.1.1.1 between February 2024 and August 2025. All certificates have been revoked and Cloudflare found no evidence they were used maliciously, noting that successful impersonation would also require client trust in Fina and interception of traffic. The misissuance was detected via Certificate Transparency logs, and Cloudflare is improving alerts, monitoring, and triage to prevent similar lapses.

🔒 Cloudflare framed AI Week 2025 around products and controls to help organizations adopt AI while retaining safety and visibility. The company emphasized four core priorities: securing AI environments and workflows; protecting original content from misuse; enabling developers to build secure AI experiences; and applying AI to improve Cloudflare’s services. Key launches included AI Gateway, Infire, AI Crawl Control, expanded CASB scanning, and MCP Server Portals, with a continued focus on customer feedback and ongoing investment.

🔒 Cloudflare and Palo Alto Networks disclosed that threat actors accessed their Salesforce tenants via the third‑party Salesloft Drift app after compromising OAuth tokens. Cloudflare reported reconnaissance on 9 August 2025 and said data was exfiltrated from Salesforce case objects between 12–17 August 2025. The exposed fields principally contained support case text and business contact information; Cloudflare identified 104 API tokens and has rotated them, urging customers to rotate any credentials shared in cases. Google’s Threat Intelligence Group links the activity to UNC6395 and warns harvested data may be used for targeted follow‑on attacks.

🛡️ Cloudflare said it automatically mitigated a record-setting volumetric DDoS attack that peaked at 11.5 Tbps and reached 5.1 billion packets per second; the UDP flood lasted roughly 35 seconds and reportedly originated largely from Google Cloud. The company reported it has autonomously blocked hundreds of hyper‑volumetric L3/4 attacks in recent weeks, underscoring a sharp surge in such events. Security researchers warn these massive traffic floods can be used as a smoke screen for follow-on targeted exploits.

🔒 Three major vendors—Palo Alto Networks, Zscaler, and Cloudflare disclosed a supply‑chain breach tied to the Salesloft Drift Salesforce integration that exposed OAuth tokens and customer CRM data. The incident reportedly involved mass exfiltration from Account, Contact, Case and Opportunity records and included business contact data and some plaintext case notes. Vendors recommend rotating credentials, revoking unused OAuth tokens, auditing Salesforce Event Monitoring and reviewing SOQL query logs and connected-app activity for signs of abuse.

🔒 Cloudflare disclosed attackers accessed a Salesforce instance used for internal customer case management in a broader Salesloft Drift supply‑chain breach, exposing 104 Cloudflare API tokens and the text contents of support case objects. Cloudflare was notified on August 23, rotated all exfiltrated platform-issued tokens, and began notifying impacted customers on September 2. The company said only text fields were stolen — subject lines, case bodies and contact details — but warned customers that any credentials shared via support tickets should be considered compromised and rotated immediately.