Podcast Detail

SANS Stormcast Wednesday, November 19th, 2025: Kong Tuke; Cloudflare Outage

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9706.mp3

Kong Tuke; Cloudflare Outage

00:00

My Next Class

Application Security: Securing Web Apps, APIs, and Microservices	Dallas	Dec 1st - Dec 6th 2025
Network Monitoring and Threat Detection In-Depth	Online \| Central European Time	Dec 15th - Dec 20th 2025

… more classes

KongTuke Activity
This diary investigates how a recent Kong Tuke infections evolved all the way from starting with a ClickFix attack.
https://isc.sans.edu/diary/KongTuke%20activity/32498

Cloudflare Outage
Cloudflare suffered a large outage today after an oversized configuration file was loaded into its bot protection service
https://x.com/dok2001

Google Patches Chrome 0-Day
Google patched two vulnerabilities in Chrome. One of them is already being exploited.
https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_17.html

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Application Security: Securing Web Apps, APIs, and Microservices	Dallas	Dec 1st - Dec 6th 2025
Network Monitoring and Threat Detection In-Depth	Online \| Central European Time	Dec 15th - Dec 20th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Orlando	Mar 29th - Apr 3rd 2026
Network Monitoring and Threat Detection In-Depth	Amsterdam	Apr 20th - Apr 25th 2026
Application Security: Securing Web Apps, APIs, and Microservices	San Diego	May 11th - May 16th 2026
Network Monitoring and Threat Detection In-Depth	Online \| Arabian Standard Time	Jun 20th - Jun 25th 2026
Network Monitoring and Threat Detection In-Depth	Riyadh	Jun 20th - Jun 25th 2026
Application Security: Securing Web Apps, APIs, and Microservices	Washington	Jul 13th - Jul 18th 2026

Podcast Transcript

 Hello and welcome to the Wednesday, November 19th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Undergraduate Certificate Program in
 Cybersecurity Fundamentals. Brad Duncan today published
 another diary with yet another variant of ClickFix. ClickFix,
 the CAPTCHA lookalike that tricks victims into copy
 -pasting PowerShell commands into their Windows command
 line. Well, in this particular case, it's going to lead you
 to install Kong Tuke or Kong Tuke. Not sure how to pronounce it.
 But this is an example of a traffic direction system or
 TDS. This type of malware is a little bit different than what
 we often have like info stealers or such. The main
 purpose of TDS systems is to give the attacker a platform
 to redirect their traffic. So these are typically proxies
 and the like that will just forward traffic for the
 attacker. They can often be chained for additional
 obfuscation of the traffic. And then the networks being
 created by the attacker are often also rented out to other
 attackers. So it's sort of a basic fundamental part of this
 criminal underground economy. And a couple weeks ago, I
 myself counted myself lucky because the Internet Storm
 Center website did not use AWS, which had its big outage
 a couple weeks ago. Well, this morning, I wasn't that lucky.
 We had a big outage of Cloudflare. Cloudflare stopped
 working for a few hours in the morning, at least East Coast
 time in the morning. Probably Europe or UTC. It was more the
 afternoon when this outage happened. And it took them
 quite a while to get things back up and going. Given the
 scale of Cloudflare, and I don't have the current numbers
 handy, but I remember something like 30% of websites
 or traffic going through Cloudflare, which seems
 plausible. There were a lot of large websites other than
 Internet Storm Center that were affected by this. Like,
 for example, X and many of the AI chatbots, for example,
 ChatGPT, but also Anthropic had some issues because they
 are behind Cloudflare. There has been so far a quick note
 here by Cloudflare's CTO, Dane Knecht, who stated that this
 was, well, for change, not DNS. No, it was just a bad
 configuration file. Apparently, one of those
 configuration files that's created automatically and,
 well, a mistake in the script, and that hasn't really been
 specified yet what exactly there happened, created a
 corrupt or invalid configuration file that then
 led to the outage. This configuration file was related
 to the bot prevention, which, of course, a big feature of
 Cloudflare and something where I can see how they sort of
 consistently update the rules here that they're using in
 order to defend against the bots and how this is highly
 automated. So you can say it's a little bit of bot versus bot
 story here. They promised more details. At this point, I
 haven't seen anything official beyond this X post by the CTO.
 And Google released a new version of Google Chrome
 fixing two type confusion vulnerabilities in V8. V8
 being Google Chrome's JavaScript engine. One of
 these vulnerabilities is apparently already being
 exploited in the wild. So yet another Google Chrome Sarah
 Day. Make sure you are restarting Google Chrome once
 a day, which for the most part should take care of any
 automatic updates. And maybe at least once a week, make
 sure with the About page in Google Chrome that you are
 actually up to date. Well, and that's it for today. Thanks
 for listening. Thanks for liking. Thanks for
 subscribing. And also special thanks for anybody leaving
 good comments in their favorite podcast platform. And
 talk to you again tomorrow. Bye.