Daily Cyber Briefing
The Daily Cyber Briefing delivers concise, no-fluff updates on the latest cybersecurity threats, breaches, and regulatory changes. Each episode equips listeners with actionable insights to stay ahead of emerging risks in today’s fast-moving digital landscape.
Daily Cyber Briefing
Cloud Chaos, Router Espionage, and the 7-Zip Time Bomb
Today we dive into Cloudflare's massive outage caused by a database mishap and track the alarming rise of ransomware targeting Amazon S3 misconfigurations. Plus, we uncover a global espionage network hidden inside 50,000 compromised Asus routers.
Welcome back to Cyber Scoops & Digital Shenanigans, the podcast where we break down the most critical cybersecurity news of the week. I’m your host, Mike Housch, and we have a packed episode today covering major infrastructure failures, targeted cloud ransomware, and nation-state hardware hacks.
Let’s start with the cloud, which had a terrible, horrible, no good, very bad week. First up, the massive Cloudflare outage. On Tuesday, Cloudflare experienced its worst outage in six years, blocking access to many websites and online platforms for nearly six hours.
Now, the good news, according to CEO Matthew Prince, is that the service disruptions were not caused by a cyberattack or malicious activity of any kind. The issue was purely technical.
The whole incident was triggered by a routine update to database permissions. This change caused one of their database systems to output duplicate entries into a configuration file used by the Bot Management system. This feature file, designed to have about 60 features, suddenly doubled to over 200, exceeding a hardcoded 200-feature limit. Because the file was oversized and exceeded the built-in size limits, the software crashed while attempting to route traffic across Cloudflare’s network.
Cloudflare’s Global Network is huge—it’s a distributed infrastructure of servers and data centers across more than 120 countries, connecting to over 13,000 networks globally. When the oversized file propagated, the Bot Management module’s Rust code triggered a system panic and 5xx errors, effectively crashing the core proxy system. Core traffic was normalized by 14:30 UTC, but the full resolution took almost six hours, until 17:06 UTC. Prince called the outage "unacceptable," given the company’s importance in the Internet ecosystem. They previously mitigated another massive outage in June, which impacted Zero Trust WARP connectivity and Google Cloud infrastructure.
Now, moving from accidents to active threats in the cloud, we have new and dangerous ransomware variants specifically targeting Amazon Simple Storage Service, or S3, buckets. Unlike traditional ransomware that uses malicious software, these attacks leverage weak access controls and configuration mistakes to lock organizations out of their critical business data. Attackers are adapting their methods, shifting from on-premises systems to cloud-based resources where valuable information is stored.
Threat actors gain unauthorized access often through stolen credentials, leaked access keys from public code repositories, or compromised AWS accounts with excessive permissions. Once inside, they hunt for vulnerable S3 buckets that lack protections like disabled versioning or missing object lock protection.
Trend Micro security researchers documented five distinct variants, but one stands out as particularly dangerous: the Server-Side Encryption with Customer-Provided Keys, or SSE-C, variant. This approach is nasty because it can create permanently unrecoverable encrypted data. The attackers gain write-level access and use specific HTTP request headers or AWS command-line tools to initiate encryption, providing a locally stored AES-256 encryption key.
Here’s the critical part: AWS uses the attacker’s key to secure the data but never stores the actual key in its systems. AWS only logs a Hash-based Message Authentication Code (HMAC) of the key in CloudTrail logs, which cannot be reversed. This means that once the process is complete, neither the victim organization nor AWS support can recover the encrypted information. Organizations can fight back by implementing policy controls that block SSE-C encryption requests at the bucket level and by monitoring CloudTrail logs for unusual SSE-C activities.
Shifting gears to hardware espionage, security firm SecurityScorecard uncovered a massive global network established by a Chinese state-sponsored threat actor. This operation, dubbed Operation WrtHug, has compromised over 50,000 Asus routers. The goal? To establish a persistent network for global espionage campaigns known as an Operational Relay Box, or ORB, facilitation campaign.
The hackers exploited known vulnerabilities in discontinued Asus devices, specifically targeting the AiCloud service, which lets users access local storage from the internet. The flaws exploited were high-severity command injection issues and critical improper authentication controls, including CVE-2023-41345 and CVE-2025-2492. Once compromised, the device became part of this global network. Over the last six months, researchers identified more than 50,000 unique IP addresses belonging to these compromised routers. While the largest concentration is in Taiwan (30% to 50%), clusters were also found in the US, Russia, Southeast Asia, and Europe. Users are strongly advised to apply patches or replace older, unsupported Asus router models immediately.
Let’s transition now to our vulnerability and threat roundup, starting with a troubling surge in probing activity. Malicious traffic targeting Palo Alto Networks' GlobalProtect portals surged almost 40-fold in 24 hours. GreyNoise observed about 2.3 million sessions hammering the "global-protect/login.esp" endpoint, hitting a 90-day high.
This massive spike is concerning because GreyNoise research often shows that spikes in attacker activity targeting a vendor frequently precede the disclosure of new vulnerabilities. In fact, 80 percent of observed cases were followed by a CVE disclosure within six weeks. The traffic seems to be a broad, opportunistic trawl, with scans aimed at GlobalProtect systems in the US, Mexico, and Pakistan. Security teams are advised to tighten access controls and be ready to implement blocklists, though no confirmed exploit is currently circulating.
Next up, critical software we all use: 7-Zip. Threat actors are actively exploiting a recently patched high-severity vulnerability, CVE-2025-11001, which leads to remote code execution. This is a file parsing directory traversal issue affecting 7-Zip’s handling of symbolic links in ZIP files. The flaw allows attackers to craft data that traverses to unintended directories during file processing.
NHS England warned that active exploitation of this bug has been observed in the wild, noting that a proof-of-concept exploit is available. The exploit specifically impacts Windows systems and abuses symbolic-link handling to write malicious files outside the intended extraction folder. Crucially, exploiting this to achieve arbitrary code execution typically requires 7-Zip to be running with administrative privileges, such as when used by a service account. This vulnerability was patched back in July in 7-Zip version 25.00. If you haven't updated, do it now.
And finally, a quick update on SolarWinds. The vendor announced patches for three critical vulnerabilities in its Serv-U enterprise file transfer solution. These flaws, CVE-2025-40549, CVE-2025-40548, and CVE-2025-40547, can all be exploited for remote code execution by an attacker with administrator privileges. These issues affect Serv-U 15.5.2.2.102 and have been addressed in version 15.5.3. Given SolarWinds products are frequently targeted, these patches are absolutely essential.
Before we wrap up, a note on WhatsApp privacy. Researchers disclosed a novel enumeration technique that allowed them to scrape the accounts of all 3.5 billion WhatsApp users across 245 countries. They achieved this by generating phone number combinations and checking which were registered without being blocked by rate limiting. The scraped data included timestamps and public keys, and for users who made the data public, profile pictures and ‘about’ text. WhatsApp, owned by Meta, has rolled out mitigations, noting that this vulnerability only allowed scraping of basic publicly available information and that non-public data like messages were not exposed.
That’s it for this edition of Cyber Scoops & Digital Shenanigans. From Cloudflare’s database hiccup becoming a global outage, to nation-state hackers hiding in consumer routers, the digital world never sleeps. Remember to patch those routers, check your AWS S3 permissions, and stay vigilant. Until next time, I’m Mike Housch. Stay safe out there.