The attack was aimed at a European network infrastructure company and it has been linked to the Aisuru botnet.

The post Record-Breaking DDoS Attack Peaks at 22 Tbps and 10 Bpps appeared first on SecurityWeek.

Microsoft and Cloudflare have teamed up to take down the infrastructure used by RaccoonO365.

The post RaccoonO365 Phishing Service Disrupted, Leader Identified appeared first on SecurityWeek.

Microsoft’s Digital Crimes Unit coordinated the seizure of 338 domains used by RaccoonO365, a financially motivated threat group that developed and sold phishing kits that have been used to steal more than 5,000 Microsoft credentials since July 2024, the company said Tuesday. 

The threat group, which Microsoft tracks as Storm-2246, enabled cybercriminals to steal credentials from organizations spanning 94 countries, making it the “fastest-growing tool used by cybercriminals to steal Microsoft 365 usernames and passwords,” Steven Masada, assistant general counsel at Microsoft’s DCU said in a blog post. 

RaccoonO365 services were used indiscriminately to target more than 2,300 U.S. organizations in a tax-themed phishing campaign earlier this year. Its kits, which use Microsoft branding for fraudulent emails, attachments and websites, have also been used against at least 20 U.S. health care organizations, according to Microsoft. 

“The rapid development, marketing, and accessibility of services like RaccoonO365 indicate that we are entering a troubling new phase of cybercrime where scams and threats are likely to multiply exponentially,” Masada said.

Microsoft, acting on a court order granted by the U.S. District Court for the Southern District of New York, worked with Cloudflare to seize and take down RaccoonO365’s infrastructure. The company also worked with Chainalysis to trace the threat group’s cryptocurrency transactions, allowing it to attribute malicious online activity to real identities.

Microsoft accuses Joshua Ogundipe of Nigeria of running the criminal enterprise, which sold phishing kits to a community base of more than 850 members on Telegram. Ogundipe and his associates have received at least $100,000 in cryptocurrency payments, reflecting an estimate of up to 200 subscriptions. 

“During the investigation, the DCU engaged directly with the threat actor without disclosing our identity to acquire the phishing kits,” Maurice Mason, principal cybercrime investigator at Microsoft’s DCU, said in a Q&A with Chainalysis. 

In a separate purchase, the alleged cybercriminal inadvertently shared a cryptocurrency wallet address for payment that allowed investigators to trace the funds to a wallet hosted on a Nigeria-based cryptocurrency exchange previously linked to Ogundipe, Mason added. 

Microsoft said Ogundipe has a background in computer programming and accused him of writing the majority 

of the code for the subscription-based phishing service, which allows cybercriminals to send up to 9,000 phishing emails per day. Investigators said RaccoonO365 may have facilitated the transmission of hundreds of millions of malicious emails. 

Microsoft, which sent a criminal referral for Ogundipe to international law enforcement, also addressed continued discontent with persisting legal challenges. 

“Today’s patchwork of international laws remains a major obstacle and cybercriminals exploit these gaps,” Masada said. “Governments must work together to align their cybercrime laws, speed up cross-border prosecutions and close the loopholes that let criminals operate with impunity.”

RaccoonO365’s kits sent emails to victims with malicious attachments, links or QR codes that redirected users to a fake Microsoft O365 login page to harvest credentials, Cloudflare researchers said in a blog post. When victims entered credentials, the kit allowed attackers to capture the password and resulting session cookie, bypassing multifactor authentication.

The codebase included functions for anti-analysis and evasion, user-agent filtering, security vendor evasion, network-level blocking and dynamic traffic routing, according to Cloudflare.

The phishing emails were often a precursor to malware and ransomware, yet not every stolen credential led to compromised networks or fraud, according to Microsoft. The company said it always expects cybercriminals to try to rebuild operations after a takedown and pledged to take additional steps to dismantle any new or reemerging infrastructure.

The post Microsoft seizes hundreds of phishing sites tied to massive credential theft operation appeared first on CyberScoop.

Multiple security and technology companies have been swept up in a far-reaching attack spree originating at Salesloft Drift, including Cloudflare, PagerDuty, Palo Alto Networks, SpyCloud and Zscaler. 

Victim organizations continue to come forward as customers of the third-party AI chat agent hunt for evidence of compromise or receive notices from Salesloft and other companies involved in response, recovery and ongoing attack investigations. 

Salesloft initially claimed exposure was limited to customers integrated with Salesforce. Yet, Google Threat Intelligence Group and Mandiant Consulting — Google’s incident response firm which is now working with Salesloft — said any platform integrated with Drift is potentially compromised. 

The root cause of the attacks, specifically how the threat group that Google tracks as UNC6395 gained initial access to Salesloft Drift, remains unconfirmed. “There is no evidence of any unusual or malicious activity with the Salesloft platform,” Salesloft said in an update Saturday.

On Monday, the company said “Drift will be taken offline in the very near future,” rendering the platform inaccessible and the Drift chatbot unavailable on customer websites. “This will provide the fastest path forward to comprehensively review the application and build additional resiliency and security in the system to return the application to full functionality,” the company added.

Salesloft, which acquired Drift in February 2024, has not responded to requests for comment since news of the attacks first surfaced last week. 

The company announced an agreement to merge with Clari, a competitor in the customer-relationship management space, one day before the attacks started Aug. 8. In the merger announcement, the combined companies said they will serve more than 5,000 organizations globally across all industries.

The exposure caused by the attacks has cast widespread concern, as customers seek clarity about the unfolding disaster. Salesloft customers are assessing if they were impacted, and then sifting through data to determine the extent to which they or their customers were compromised. 

The attacks did not hit every Salesloft Drift customer. Some Salesloft Drift customers, when contacted by CyberScoop, confirmed they were not implicated by the attacks and found no evidence that corporate or customer data was compromised. 

Okta said it was not impacted by the incident, but confirmed it was a target based on indicators of compromise Google Threat Intelligence Group shared last week. “The threat actor attempted to use a compromised token to access our Salesforce instance, but the attack failed because the connection originated from an unauthorized IP address,” the company said in a blog post Tuesday.

Many other businesses were less fortunate.

Sam Curry, chief information security officer at Zscaler, said the company’s Salesloft Drift integration with Salesforce was the point of unauthorized access. The company was using Salesloft Drift integrated with other platforms, but they were not impacted, he added. 

Data on a large number of Zscaler’s customers was exposed, including names, business email addresses, job titles, phone numbers, location details, Zscaler product licensing and commercial information, and plain text content from some support cases. 

“No product, service, or infrastructure was affected,” Curry said. “We are looking to hear from Salesloft Drift and from Salesforce if there are any other findings since this happened in their infrastructure.”

Curry said Zscaler was already in the process of ending its relationship with Salesloft Drift for unrelated reasons. 

Palo Alto Networks on Tuesday confirmed that it, too, was one of hundreds of organizations impacted by the supply chain attack. The company’s incident response business Unit 42 confirmed the incident was limited to its Salesforce environment, adding that no Palo Alto Networks products or services were impacted. 

“Most of the exfiltrated data was business contact information,” a Palo Alto Networks spokesperson told CyberScoop in an email. “However, a small number of customers who included sensitive information, such as credentials, in their recent case notes might also have had that data compromised.”

Cloudflare said any information customers shared with the company’s support system — including logs, tokens or passwords — should be considered compromised. The company said it found 104 Cloudflare API tokens in the compromised data and, while it found no evidence of abuse, rotated the tokens out of an abundance of caution.

The company also maintained that no Cloudflare services or infrastructure were compromised. 

“We are responsible for the choice of tools we use in support of our business,” a group of Cloudflare security leaders said in a blog post Tuesday. “This breach has let our customers down. For that, we sincerely apologize.”

Former Salesloft Drift customers were impacted as well. In a blog post announcing some data contained in its Salesforce environment was exposed, SpyCloud said it was previously a customer of Salesloft and Drift, but not currently.

Google previously said the data theft campaign occurred over a 10-day period last month, potentially impacting more than 700 organizations.

The post Salesloft Drift attacks hit Cloudflare, Palo Alto Networks, Zscaler appeared first on CyberScoop.

ISSUE 22.34.2 • 2025-08-28 By Susan Bradley For quite some time, the AskWoody website has been under a heavy distributed denial-of-service (DDoS) attack. We don’t know the precise reasons why we’ve become a target. From an editorial perspective, it would be nice to discover that we’d ruffled a few feathers and that an evil entity […]

Authorities claim they’ve gained control of Rapper Bot and stopped attacks emanating from what they described as “among the most powerful DDoS botnets to have ever existed.” 

The takeover and effective disruption of the botnet, also known as Eleven Eleven Botnet and CowBot, occurred after officials identified and served a warrant at the Oregon residence of a 22-year-old man who allegedly developed and ran the operation since at least 2021.

Ethan Foltz of Eugene, Ore., was charged with one count of aiding and abetting computer intrusions in the U.S. District Court for the District of Alaska on Tuesday. He faces a maximum penalty of up to 10 years in prison, the Justice Department said.

Rapper Bot allegedly conducted more than 370,000 attacks, targeting 18,000 unique victims across 1,000 unique autonomous system numbers from April to early August, according to officials. 

The botnet, which primarily infected digital video recorders and Wi-Fi routers, infected between 65,000 and 95,000 devices to regularly conduct high-tempo DDoS attacks. Officials said Rapper Bot regularly conducted DDoS attacks measured between two to three terabits per second, adding that Rapper Bot’s largest attack may have exceeded six terabits per second.

Rapper Bot attacks impacted 80 countries, with DDoS attacks most heavily concentrated in China, Japan, the United States, Ireland and Hong Kong, officials said.

“Because Rapper Bot has been in operation since at least 2021, there is a strong likelihood that there are millions of victims, in terms of infected IoT devices, as well as millions of Rapper Bot initiated DDoS attacks,” a special agent with the Defense Criminal Investigative Service said in an affidavit for the criminal complaint against Foltz.

Investigators traced the botnet to Foltz after linking the botnet’s hosting provider to a PayPal account. Under court order, PayPal sent records to investigators indicating Foltz controlled the account and shared email addresses he associated with the account. Investigators said they determined the same IP address was used to access Foltz’s Gmail, PayPal and internet service provider simultaneously, despite his apparent use of VPN services.

Google accounts linked to Foltz revealed extensive evidence linking him to Rapper Bot, according to investigators. Foltz conducted searches for “RapperBot” and “Rapper Bot” more than 100 times, and sometimes after conducting these searches he viewed cybersecurity blogs, indicating he might have been monitoring what was known about the botnet in real time, officials said in the court documents.

DCIS served a warrant at Foltz’s residence in Oregon on Aug. 6, and during a recorded interview “Foltz stated that he was the primary administrator of Rapper Bot.” Foltz also named his primary partner as a person he only knew as “SlayKings,” adding that the botnet code was derived from the Mirai, Tsunami and fBot botnets.

Upon an official’s request, Foltz terminated Rapper Bot’s outbound attack capabilities and passed the administrative control of Rapper Bot to DCIS personnel. Foltz hasn’t been arrested but officials familiar with the case said they’ve requested summons in this case.

Akamai, Amazon Web Services, Cloudflare, Digital Ocean, Flashpoint, Google, PayPal and Unit 221B assisted law enforcement with the investigation.

The post Officials gain control of Rapper Bot DDoS botnet, charge lead developer and administrator appeared first on CyberScoop.

Artificial intelligence startup Perplexity is using stealthy techniques to get around network blocks against systematic browsing and scraping of web pages, Cloudflare said Monday in a blog post.

The alleged activity prompted Cloudflare, which received complaints from its customers, to take action against Perplexity.

“There are clear preferences that crawlers should be transparent, serve a clear purpose, perform a specific activity, and, most importantly, follow website directives and preferences,” Cloudflare engineers wrote. “Based on Perplexity’s observed behavior, which is incompatible with those preferences, we have de-listed them as a verified bot and added heuristics to our managed rules that block this stealth crawling.”

It’s the latest step from Cloudflare in its approach to crawling from AI systems, following last month’s announcement allowing customers to block or charge fees from web crawlers deployed to scrape their websites and data.

Customers who disallowed Perplexity crawling activity in their robots.txt files — a file that instructs search engine crawlers which parts of a website they can and cannot access — told CloudFlare that Perplexity was still able to access their content. 

“These customers told us that Perplexity was still able to access their content even when they saw its bots successfully blocked,” Cloudflare said. “We confirmed that Perplexity’s crawlers were in fact being blocked on the specific pages in question, and then performed several targeted tests to confirm what exact behavior we could observe.”

Emails to a Perplexity spokesperson and media email address seeking a response were not immediately answered. But spokesperson Jesse Dwyer told TechCrunch that Cloudflare’s blog post was no more than a “sales pitch,” that the screenshots in the post “show that no content was accessed” and the bot Cloudflare named “isn’t even ours.”

Perplexity later responded at length in its own blog post, calling Cloudflare’s work “embarrassing” and “disqualifying.”

Perplexity has encountered allegations of unethical web scraping in the past. Most recently, the BBC has threatened to sue the company over content scraping, one of many suits AI companies are facing, although some organizations have signed deals with AI firms, including with Perplexity.

In its blog post, Cloudflare said OpenAI is an example of a company following recommended practices on crawlers and blocked behavior.

Updated 8/5/25: to include link to fuller Perplexity response.

The post AI company Perplexity is sneaking to get around blocks on crawlers, Cloudflare alleges appeared first on CyberScoop.

One of the risks of deploying a website, especially one that becomes popular, is that the bad guys take notice and use automated systems to attempt to take sites down — just because they can. Unfortunately, we are not immune. We have recently been experiencing large distributed-denial-of-service (DDoS) attacks — up to 400,000 hits per […]

KrebsOnSecurity last week was hit by a near record distributed denial-of-service (DDoS) attack that clocked in at more than 6.3 terabits of data per second (a terabit is one trillion bits of data). The brief attack appears to have been a test run for a massive new Internet of Things (IoT) botnet capable of launching crippling digital assaults that few web destinations can withstand. Read on for more about the botnet, the attack, and the apparent creator of this global menace.

For reference, the 6.3 Tbps attack last week was ten times the size of the assault launched against this site in 2016 by the Mirai IoT botnet, which held KrebsOnSecurity offline for nearly four days. The 2016 assault was so large that Akamai – which was providing pro-bono DDoS protection for KrebsOnSecurity at the time — asked me to leave their service because the attack was causing problems for their paying customers.

Since the Mirai attack, KrebsOnSecurity.com has been behind the protection of Project Shield, a free DDoS defense service that Google provides to websites offering news, human rights, and election-related content. Google Security Engineer Damian Menscher told KrebsOnSecurity the May 12 attack was the largest Google has ever handled. In terms of sheer size, it is second only to a very similar attack that Cloudflare mitigated and wrote about in April.

After comparing notes with Cloudflare, Menscher said the botnet that launched both attacks bears the fingerprints of Aisuru, a digital siege machine that first surfaced less than a year ago. Menscher said the attack on KrebsOnSecurity lasted less than a minute, hurling large UDP data packets at random ports at a rate of approximately 585 million data packets per second.

“It was the type of attack normally designed to overwhelm network links,” Menscher said, referring to the throughput connections between and among various Internet service providers (ISPs). “For most companies, this size of attack would kill them.”

The Aisuru botnet comprises a globally-dispersed collection of hacked IoT devices, including routers, digital video recorders and other systems that are commandeered via default passwords or software vulnerabilities. As documented by researchers at QiAnXin XLab, the botnet was first identified in an August 2024 attack on a large gaming platform.

Aisuru reportedly went quiet after that exposure, only to reappear in November with even more firepower and software exploits. In a January 2025 report, XLab found the new and improved Aisuru (a.k.a. “Airashi“) had incorporated a previously unknown zero-day vulnerability in Cambium Networks cnPilot routers.

NOT FORKING AROUND

The people behind the Aisuru botnet have been peddling access to their DDoS machine in public Telegram chat channels that are closely monitored by multiple security firms. In August 2024, the botnet was rented out in subscription tiers ranging from $150 per day to $600 per week, offering attacks of up to two terabits per second.

“You may not attack any measurement walls, healthcare facilities, schools or government sites,” read a notice posted on Telegram by the Aisuru botnet owners in August 2024.

Interested parties were told to contact the Telegram handle “@yfork” to purchase a subscription. The account @yfork previously used the nickname “Forky,” an identity that has been posting to public DDoS-focused Telegram channels since 2021.

According to the FBI, Forky’s DDoS-for-hire domains have been seized in multiple law enforcement operations over the years. Last year, Forky said on Telegram he was selling the domain stresser[.]best, which saw its servers seized by the FBI in 2022 as part of an ongoing international law enforcement effort aimed at diminishing the supply of and demand for DDoS-for-hire services.

“The operator of this service, who calls himself ‘Forky,’ operates a Telegram channel to advertise features and communicate with current and prospective DDoS customers,” reads an FBI seizure warrant (PDF) issued for stresser[.]best. The FBI warrant stated that on the same day the seizures were announced, Forky posted a link to a story on this blog that detailed the domain seizure operation, adding the comment, “We are buying our new domains right now.”

Approximately ten hours later, Forky posted again, including a screenshot of the stresser[.]best user dashboard, instructing customers to use their saved passwords for the old website on the new one.

A review of Forky’s posts to public Telegram channels — as indexed by the cyber intelligence firms Unit 221B and Flashpoint — reveals a 21-year-old individual who claims to reside in Brazil [full disclosure: Flashpoint is currently an advertiser on this blog].

Since late 2022, Forky’s posts have frequently promoted a DDoS mitigation company and ISP that he operates called botshield[.]io. The Botshield website is connected to a business entity registered in the United Kingdom called Botshield LTD, which lists a 21-year-old woman from Sao Paulo, Brazil as the director. Internet routing records indicate Botshield (AS213613) currently controls several hundred Internet addresses that were allocated to the company earlier this year.

Domaintools.com reports that botshield[.]io was registered in July 2022 to a Kaike Southier Leite in Sao Paulo. A LinkedIn profile by the same name says this individual is a network specialist from Brazil who works in “the planning and implementation of robust network infrastructures, with a focus on security, DDoS mitigation, colocation and cloud server services.”

MEET FORKY

In his posts to public Telegram chat channels, Forky has hardly attempted to conceal his whereabouts or identity. In countless chat conversations indexed by Unit 221B, Forky could be seen talking about everyday life in Brazil, often remarking on the extremely low or high prices in Brazil for a range of goods, from computer and networking gear to narcotics and food.

Reached via Telegram, Forky claimed he was “not involved in this type of illegal actions for years now,” and that the project had been taken over by other unspecified developers. Forky initially told KrebsOnSecurity he had been out of the botnet scene for years, only to concede this wasn’t true when presented with public posts on Telegram from late last year that clearly showed otherwise.

Forky denied being involved in the attack on KrebsOnSecurity, but acknowledged that he helped to develop and market the Aisuru botnet. Forky claims he is now merely a staff member for the Aisuru botnet team, and that he stopped running the botnet roughly two months ago after starting a family. Forky also said the woman named as director of Botshield is related to him.

Forky offered equivocal, evasive responses to a number of questions about the Aisuru botnet and his business endeavors. But on one point he was crystal clear:

“I have zero fear about you, the FBI, or Interpol,” Forky said, asserting that he is now almost entirely focused on their hosting business — Botshield.

Forky declined to discuss the makeup of his ISP’s clientele, or to clarify whether Botshield was more of a hosting provider or a DDoS mitigation firm. However, Forky has posted on Telegram about Botshield successfully mitigating large DDoS attacks launched against other DDoS-for-hire services.

DomainTools finds the same Sao Paulo street address in the registration records for botshield[.]io was used to register several other domains, including cant-mitigate[.]us. The email address in the WHOIS records for that domain is forkcontato@gmail.com, which DomainTools says was used to register the domain for the now-defunct DDoS-for-hire service stresser[.]us, one of the domains seized in the FBI’s 2023 crackdown.

On May 8, 2023, the U.S. Department of Justice announced the seizure of stresser[.]us, along with a dozen other domains offering DDoS services. The DOJ said ten of the 13 domains were reincarnations of services that were seized during a prior sweep in December, which targeted 48 top stresser services (also known as “booters”).

Forky claimed he could find out who attacked my site with Aisuru. But when pressed a day later on the question, Forky said he’d come up empty-handed.

“I tried to ask around, all the big guys are not retarded enough to attack you,” Forky explained in an interview on Telegram. “I didn’t have anything to do with it. But you are welcome to write the story and try to put the blame on me.”

THE GHOST OF MIRAI

The 6.3 Tbps attack last week caused no visible disruption to this site, in part because it was so brief — lasting approximately 45 seconds. DDoS attacks of such magnitude and brevity typically are produced when botnet operators wish to test or demonstrate their firepower for the benefit of potential buyers. Indeed, Google’s Menscher said it is likely that both the May 12 attack and the slightly larger 6.5 Tbps attack against Cloudflare last month were simply tests of the same botnet’s capabilities.

In many ways, the threat posed by the Aisuru/Airashi botnet is reminiscent of Mirai, an innovative IoT malware strain that emerged in the summer of 2016 and successfully out-competed virtually all other IoT malware strains in existence at the time.

As first revealed by KrebsOnSecurity in January 2017, the Mirai authors were two U.S. men who co-ran a DDoS mitigation service — even as they were selling far more lucrative DDoS-for-hire services using the most powerful botnet on the planet.

Less than a week after the Mirai botnet was used in a days-long DDoS against KrebsOnSecurity, the Mirai authors published the source code to their botnet so that they would not be the only ones in possession of it in the event of their arrest by federal investigators.

Ironically, the leaking of the Mirai source is precisely what led to the eventual unmasking and arrest of the Mirai authors, who went on to serve probation sentences that required them to consult with FBI investigators on DDoS investigations. But that leak also rapidly led to the creation of dozens of Mirai botnet clones, many of which were harnessed to fuel their own powerful DDoS-for-hire services.

Menscher told KrebsOnSecurity that as counterintuitive as it may sound, the Internet as a whole would probably be better off if the source code for Aisuru became public knowledge. After all, he said, the people behind Aisuru are in constant competition with other IoT botnet operators who are all striving to commandeer a finite number of vulnerable IoT devices globally.

Such a development would almost certainly cause a proliferation of Aisuru botnet clones, he said, but at least then the overall firepower from each individual botnet would be greatly diminished — or at least within range of the mitigation capabilities of most DDoS protection providers.

Barring a source code leak, Menscher said, it would be nice if someone published the full list of software exploits being used by the Aisuru operators to grow their botnet so quickly.

“Part of the reason Mirai was so dangerous was that it effectively took out competing botnets,” he said. “This attack somehow managed to compromise all these boxes that nobody else knows about. Ideally, we’d want to see that fragmented out, so that no [individual botnet operator] controls too much.”