Massive 29.7 Tbps DDoS Attack Mitigated by Cloudflare
Summary: A record-breaking distributed denial-of-service (DDoS) attack, peaking at 29.7 terabits per second, was successfully detected and mitigated by a major cloud provider. The attack originated from a large-scale botnet-for-hire service and represents a new benchmark in volumetric DDoS capabilities, raising concerns about the growing power of accessible DDoS-as-a-service platforms.
Attack Characteristics and Scale
The attack in question reached a peak volume of 29.7 terabits per second, making it the largest DDoS event observed to date. The traffic was primarily composed of Layer 3 and Layer 4 amplification techniques, leveraging protocols such as UDP-based services and reflection/amplification vectors. The sheer volume overwhelmed typical network egress capacities, requiring a globally distributed mitigation infrastructure to absorb and filter the malicious traffic before it could saturate the target’s upstream links.
Botnet Infrastructure and Attack Vectors
The attack was orchestrated by a DDoS botnet-for-hire platform that has been active for over a year and has been linked to multiple hyper-volumetric campaigns. The botnet leverages a mix of compromised IoT devices, misconfigured servers, and cloud instances to generate traffic. Attack vectors included UDP-based amplification from protocols such as DNS, NTP, and Memcached, as well as direct flood methods from hijacked IP addresses. The botnet’s command-and-control infrastructure is designed to rotate rapidly, making takedown efforts more difficult and allowing sustained high-volume attacks over extended periods.
Impact on Target and Mitigation Response
The targeted organization, a major online service provider, experienced no service degradation thanks to the upstream provider’s real-time detection and scrubbing capabilities. The mitigation system identified the attack within seconds of initiation, automatically rerouting traffic through scrubbing centers where malicious packets were filtered out based on behavioral analysis, rate limiting, and signature-based detection. Legitimate traffic was then re-injected into the network, ensuring continuity of service despite the unprecedented attack volume.
Broader Implications for DDoS Defense
This event underscores the increasing accessibility and power of DDoS-as-a-service offerings, which allow even low-skill attackers to launch attacks at terabit-scale volumes. Organizations must now assume that traditional on-premises DDoS protection may be insufficient against such attacks and rely on cloud-based, globally distributed mitigation services. Additionally, the incident highlights the importance of securing internet-facing services that can be abused for amplification, including DNS resolvers, NTP servers, and database services exposed to the public internet.
Recommendations for Organizations
Enterprises should ensure that all public-facing UDP services are properly secured, rate-limited, and, where possible, restricted to authorized clients. Network operators should implement BCP38 (ingress filtering) to prevent IP spoofing and reduce the pool of available amplification sources. Organizations should also review their DDoS protection strategy, ensuring they have access to a cloud-based mitigation provider capable of handling multi-terabit attacks. Regular DDoS readiness testing and incident response planning are critical to maintaining resilience in the face of increasingly powerful attacks.
U.S. Government Warns of BRICKSTORM Backdoor Targeting VMware and Windows
Summary: A sophisticated backdoor named BRICKSTORM, attributed to a China-linked threat actor, is being used to maintain long-term access to VMware vSphere and Windows environments. The backdoor enables stealthy command-and-control, persistence, and lateral movement, with confirmed targeting of U.S. government and critical infrastructure entities.
Technical Profile of BRICKSTORM
BRICKSTORM is a multi-stage backdoor designed to operate within VMware vSphere environments and Windows systems. On VMware, it leverages virtualization-level capabilities to maintain persistence across host reboots and VM migrations. The backdoor integrates with vSphere management components, allowing it to execute arbitrary commands, manipulate virtual machines, and exfiltrate data without triggering standard host-based detection mechanisms. On Windows, BRICKSTORM uses a combination of registry modifications, scheduled tasks, and service installations to ensure persistence, often masquerading as legitimate VMware or system services.
Command-and-Control and Evasion Techniques
BRICKSTORM employs encrypted, domain-generation algorithm (DGA)-based command-and-control channels to communicate with its operators. Traffic is often routed through compromised legitimate websites or cloud services to blend in with normal traffic. The backdoor uses living-off-the-land techniques, relying on built-in tools such as PowerShell, WMI, and vSphere CLI utilities to execute commands, move laterally, and harvest credentials. This reduces reliance on custom malware and makes detection more difficult for traditional endpoint protection platforms.
Targeting and Operational Impact
The threat actor behind BRICKSTORM has focused on U.S. government agencies and critical infrastructure sectors, including energy, finance, and telecommunications. The primary objective appears to be long-term espionage, with the backdoor used to maintain access, escalate privileges, and move laterally within the network. In some cases, BRICKSTORM has been deployed alongside other tools to establish redundant access points, ensuring continued presence even if one component is discovered and removed.
Defensive Detection and Mitigation
Detection of BRICKSTORM requires a combination of network monitoring, endpoint telemetry, and vSphere-specific logging. Organizations should enable detailed logging on vCenter and ESXi hosts, monitor for unusual VM creation or configuration changes, and analyze network flows for connections to known malicious domains or IP addresses. Endpoint detection and response (EDR) solutions should be tuned to detect anomalous use of PowerShell, WMI, and other administrative tools, particularly in VMware management contexts. Immediate actions include patching VMware products, reviewing service and scheduled task configurations, and auditing vSphere permissions and access controls.
Strategic and Policy Implications
The use of BRICKSTORM reflects a broader trend of state-sponsored actors targeting virtualization and cloud infrastructure to gain deep, persistent access to critical systems. This highlights the need for enhanced security controls around virtualization platforms, including strict access management, network segmentation, and continuous monitoring. Organizations in critical sectors should treat virtualization environments as high-value assets and apply the same level of scrutiny as they would to core network infrastructure.
React2Shell Exploited in the Wild; Thousands of Systems Still Vulnerable
Summary: A critical vulnerability in the React JavaScript framework, dubbed React2Shell, is being actively exploited to achieve remote code execution on affected web servers. Despite available patches, tens of thousands of internet-facing systems remain vulnerable, particularly in the United States, Germany, and China, creating a significant attack surface for opportunistic and targeted campaigns.
Vulnerability Details and Exploitation Mechanism
React2Shell is a maximum-severity vulnerability that affects certain configurations of the React framework when used in server-side rendering (SSR) or API endpoints that process untrusted input. The flaw allows an attacker to manipulate serialized data or template expressions in a way that leads to arbitrary code execution on the underlying server. Exploitation typically involves sending specially crafted HTTP requests that trigger deserialization of malicious payloads or injection of code into dynamically generated responses, ultimately giving the attacker full control over the host operating system.
Attack Patterns and Observed Campaigns
Active exploitation of React2Shell has been observed in both opportunistic scanning campaigns and targeted attacks. Automated scanners are systematically probing internet-facing web applications for telltale signs of vulnerable React-based frameworks, followed by attempts to deploy web shells or execute reconnaissance commands. In targeted scenarios, attackers chain React2Shell with other vulnerabilities to move laterally, escalate privileges, and establish persistent access. The initial access is often used to deploy additional malware, including information stealers, cryptominers, and secondary backdoors.
Global Exposure and Patching Status
Scanning efforts have identified tens of thousands of IP addresses exposing systems vulnerable to React2Shell, with a significant concentration in the United States, followed by Germany and China. Many of these systems are part of enterprise web applications, content management platforms, and cloud-hosted services. While patches and security advisories have been released by the framework maintainers and affected vendors, patching rates remain low, particularly in environments with complex deployment pipelines or limited security resources.
Technical Mitigation and Hardening Measures
Organizations must immediately identify and patch all systems using the affected React versions, following vendor guidance for secure configuration. For server-side rendering and API endpoints, input validation and output encoding must be strictly enforced, and deserialization of untrusted data should be avoided. Web application firewalls (WAFs) can be configured with rules to detect and block known React2Shell exploitation patterns, providing an additional layer of defense while patching is underway. Runtime application self-protection (RASP) solutions can also help detect and terminate malicious execution attempts in real time.
Long-Term Security Implications
The React2Shell incident underscores the risks associated with complex JavaScript frameworks in production environments, especially when used in server-side contexts. It highlights the need for robust software composition analysis, dependency management, and continuous vulnerability monitoring in modern web development. Organizations must treat front-end frameworks not just as client-side components but as critical parts of the server-side attack surface, requiring the same level of security scrutiny as traditional server software.
U.S. Indicts Contractors for Wiping 96 Government Databases
Summary: Two former government contractors have been indicted for allegedly stealing sensitive data and then deliberately deleting 96 government databases shortly after being terminated from their roles. The incident represents a serious insider threat case, with the defendants facing decades in prison if convicted.
Incident Timeline and Insider Actions
The defendants, both 34-year-old brothers, were employed as contractors supporting a U.S. government agency. After being fired, they allegedly accessed the agency’s systems using their existing credentials and executed a series of destructive actions. They first exfiltrated sensitive data, including personally identifiable information and operational records, and then systematically deleted 96 databases, causing significant disruption to agency operations. The deletions occurred in rapid succession, minutes after their termination, indicating premeditation and a clear intent to cause maximum damage.
Technical Methods and Access Abuse
The contractors leveraged their legitimate administrative privileges to perform the data theft and deletion. They used standard database management tools and scripts to export data to external storage and then issued DROP DATABASE and TRUNCATE commands to erase the affected databases. In some cases, they also deleted or modified backup configurations and logs to hinder recovery and forensic investigation. The use of authorized tools and credentials allowed them to bypass many perimeter and endpoint security controls, making the activity appear as normal administrative work until after the fact.
Impact on Government Operations and Data Recovery
The deletion of 96 databases disrupted critical government functions, including record-keeping, reporting, and service delivery. Recovery efforts required restoring from backups, which in some cases were incomplete or outdated, leading to permanent data loss. The incident also triggered a comprehensive security review, including access control audits, privilege revocation procedures, and improvements to offboarding processes for contractors and employees with elevated access.
Insider Threat Detection and Prevention
This case highlights the importance of robust insider threat programs, including continuous monitoring of privileged user activity, anomaly detection for unusual data access or export patterns, and automated alerts for high-risk actions such as bulk deletions. Organizations should implement just-in-time and just-enough-access models, enforce multi-person approval for critical operations, and ensure that access is immediately revoked upon termination. Behavioral analytics and user and entity behavior analytics (UEBA) can help identify suspicious patterns before they result in significant damage.
Legal and Policy Consequences
The indictment sends a strong message about the legal consequences of insider sabotage and data theft. The lead defendant faces a potential sentence of up to 45 years in prison, reflecting the severity of the alleged actions. The case is likely to influence government and contractor policies on access management, data handling, and incident response, particularly in environments where contractors have deep access to sensitive systems and data.
U.K. NCSC Launches Proactive Vulnerability Notification Service
Summary: The U.K.’s National Cyber Security Centre has introduced a new Proactive Notifications service, designed to alert organizations to known vulnerabilities and misconfigurations in their internet-facing infrastructure. The service is currently in a testing phase and aims to improve national cyber resilience by providing early warnings before exploitation occurs.
Service Design and Notification Scope
The Proactive Notifications service continuously scans the U.K. internet perimeter to identify systems with known vulnerabilities, exposed services, and common misconfigurations. When a potential issue is detected, the NCSC sends a notification to the organization’s registered contact, describing the affected IP address, service, and vulnerability details. Notifications cover a range of issues, including unpatched software, exposed remote management interfaces, default credentials, and insecure configurations of web servers, databases, and network devices.
Technical Implementation and Scanning Methodology
The NCSC uses a combination of active and passive scanning techniques to identify vulnerabilities. Active scans are carefully controlled to avoid disruption, focusing on standard ports and protocols. Passive monitoring includes analysis of internet-wide data sources to detect signs of compromise, such as beaconing to known command-and-control servers or exposure of sensitive endpoints. The system correlates findings with public vulnerability databases and threat intelligence feeds to prioritize notifications based on exploit availability and potential impact.
Benefits for Organizations and National Resilience
By providing early warnings, the service enables organizations to remediate issues before they are exploited by attackers. This is particularly valuable for smaller organizations that may lack dedicated security teams or continuous monitoring capabilities. The notifications also help organizations understand their external attack surface and prioritize patching and configuration hardening efforts, contributing to improved overall cyber hygiene across the U.K. economy.
Privacy and Operational Considerations
The NCSC has designed the service with privacy and operational safety in mind. Scans are limited to what is necessary to identify vulnerabilities, and no intrusive exploitation attempts are performed. Notifications are sent only to verified organizational contacts, and the service does not publicly disclose findings. Organizations are encouraged to register their contact information and ensure that their security teams are prepared to respond to incoming notifications in a timely manner.
Future Evolution and Integration
The Proactive Notifications service is expected to evolve based on feedback from the testing phase, with plans to expand coverage to additional vulnerability types and sectors. Future enhancements may include integration with existing security information and event management (SIEM) systems, automated ticketing, and more detailed remediation guidance. The service represents a shift toward a more proactive, intelligence-driven approach to national cybersecurity, where governments play a more active role in helping organizations defend themselves.