© Canary Trap 2024 All Rights Reserved
Share

Canary Trap’s Bi-Weekly Cyber Roundup

Canary Trap’s Bi-Weekly Cyber Roundup

Welcome to Canary Trap’s Bi-Weekly Cyber Roundup. Our mission is to keep you informed with the most pressing developments in the world of cybersecurity. This digest serves as your gateway to critical updates and emerging threats across the industry.

This week’s cybersecurity headlines highlight the growing risks posed by infrastructure instability, large-scale data exposure, and increasingly sophisticated supply-chain attacks. From Cloudflare’s major outage and claims of a massive WhatsApp data leak, to record-breaking Azure DDoS activity and new malware campaigns exploiting software updates, these developments serve as a reminder that both cloud environments and trusted update mechanisms remain high-value targets for attackers. Stay alert, this week’s stories reveal how rapidly the threat landscape continues to evolve.

  • Cloudflare Blames This Week’s Massive Outage on Database Issues

Cloudflare faced a significant global service disruption on Tuesday, its most severe outage in more than six years, after an internal change to database access permissions caused a cascading failure across its distributed network. The incident left many websites and online services inaccessible for nearly six hours.

Cloudflare operates one of the world’s largest edge networks, spanning over 120 countries and connecting to tens of thousands of ISPs, cloud vendors, and enterprise networks. The infrastructure powers content delivery, security services, and performance optimization for a substantial portion of the internet.

In a post-incident analysis, Cloudflare emphasized that the failure was not the result of malicious activity but rather an unintended consequence of a routine database update.

The permissions change caused the database to generate duplicate metadata entries that were added to a configuration file used by Cloudflare’s Bot Management system. The file ballooned from roughly 60 entries to more than 200, surpassing a built-in cap intended to prevent excessive memory usage. When the oversized configuration propagated through the network, it triggered crashes that resulted in widespread 5xx errors and interrupted traffic routing.

Because updated nodes alternated between generating valid and invalid files, the network oscillated between functional and degraded states every few minutes, amplifying the disruption.

Engineers restored core traffic flow by approximately 14:30 UTC after rolling back the configuration to a prior stable version. Full functionality returned by 17:06 UTC, with impacts observed across Cloudflare’s core CDN services, Bot Management, Turnstile authentication, Workers KV, dashboard access, email security tools, and access control systems.

This incident follows other major outages affecting large cloud infrastructure providers in 2024, including Cloudflare’s Zero Trust connectivity issues in June and a widespread AWS disruption in October caused by DNS failures.

  • Researchers Claim Largest Leak Ever After Uncovering WhatsApp Enumeration Flaw

A team of Austrian security researchers recently uncovered a serious flaw in WhatsApp’s account lookup feature that allowed them to collect data on more than 3.5 billion users, a scale they claim could represent the largest data exposure ever recorded.

WhatsApp allows users to discover account details by entering a phone number. While designed for contact discovery, this mechanism can be repurposed to enumerate user profiles at scale, revealing:

  • Phone numbers
  • Display names
  • Profile photos (when set)

By generating 63 billion phone numbers using a custom tool built with Google’s libphonenumber library, the researchers queried accounts at a rate exceeding 100 million lookups per hour. Notably, they reported no rate limits, IP blocks, or account restrictions, allowing continuous enumeration at roughly 7,000 requests per second.

Beyond basic identifiers, many accounts included additional personal information that can deepen profiling efforts:

  • 57% had profile photos; most contained recognizable faces.
  • 29% included text blurbs, some referencing sensitive subjects such as political affiliations, sexual orientation, drug involvement, professional emails, or links to accounts on platforms like LinkedIn and Tinder.

This data could facilitate reverse phonebook attacks, identity correlation across platforms, targeted phishing, or even surveillance.

The team also discovered active WhatsApp accounts tied to phone numbers from countries where the platform is banned, such as China, North Korea, and Myanmar. In regions that criminalize circumvention of digital restrictions, merely having an active account could expose individuals to legal or state-level consequences.

While some may downplay breaches involving basic identifiers, the researchers warn that combining profile photos, personal statements, and linked accounts transforms simple contact data into intelligence that can:

  • Aid scammers in targeting active devices
  • Support large-scale robocall campaigns
  • Tie identities to political or personal behaviors
  • Track government and military personnel

A comparison to the 2021 Facebook scrape revealed that half of those phone numbers remain active on WhatsApp, underscoring the longevity of such exposures.

The vulnerability was disclosed through Meta’s bug bounty program. WhatsApp’s engineering leadership acknowledged the issue, describing it as an unintended enumeration vector that bypassed existing protections. According to statements from Meta and the research team, defensive measures have since been deployed, and repeat attempts now trigger blocking.

The researchers confirmed compliance with responsible disclosure, including deletion of collected data, but noted that Meta took nearly a year to take meaningful action after initial reports.

While the flaw exposed public-facing profile metadata, messages remained protected by WhatsApp’s end-to-end encryption, and no private message content was accessible.

  • Largest Azure DDoS Attack Powered by Aisuru Botnet

Microsoft announced that it recently stopped a massive denial-of-service (DDoS) attack targeting its Azure cloud platform, an event the company described as the largest attack ever directed at Azure’s infrastructure.

The assault reached a peak of 15.72 Tbps and roughly 3.64 billion packets per second, representing an unprecedented volume for Microsoft’s cloud environment. While the company framed it as the biggest attack observed in a cloud setting, the record for the largest publicly disclosed DDoS attack globally still belongs to a 22.2 Tbps attack against a European network provider, previously documented by Cloudflare and attributed to the Aisuru botnet.

The Azure-focused incident occurred on October 24, zeroing in on a single public endpoint in Australia. Like the record-breaking 22 Tbps attack reported earlier, this event was also powered by Aisuru, leveraging extremely high-rate UDP floods originating from more than 500,000 unique IPs across multiple geographic regions.

The traffic reportedly used minimal source spoofing and randomized source ports, simplifying traceback and enabling more effective response measures from network providers.

Aisuru is categorized as a TurboMirai-class IoT botnet, built from compromised consumer devices such as home routers, CCTV cameras, and DVR systems. Known primarily for its role in subscription-based DDoS-for-hire operations, the botnet has been used heavily against online gaming services, but its capabilities extend to credential attacks, web scraping, phishing campaigns, and spam distribution.

Security researchers note that TurboMirai variants generally lack packet spoofing capabilities, which allows defenders to trace traffic back to infected endpoints more easily—an advantage for remediation efforts targeting vulnerable devices.

  • EdgeStepper Implant Reroutes DNS Queries to Deploy Malware via Hijacked Software Updates

A threat group tracked as PlushDaemon has been observed deploying a new Go-based network backdoor, dubbed EdgeStepper, to carry out advanced adversary-in-the-middle (AitM) operations. The malware manipulates network traffic by hijacking DNS requests, sending them to attacker-controlled servers that masquerade as legitimate software update infrastructure. This allows the attackers to intercept, alter, or replace update packages before they reach their targets.

According to researchers at ESET, the tool functions by redirecting every DNS request to a malicious server that determines whether the request relates to update services. If the domain matches a monitored software provider, the attacker responds with a spoofed IP address that routes the victim to an imitation server hosting compromised update files.

PlushDaemon is assessed as a China-aligned threat actor active since at least 2018. Over the years, the group has targeted organizations across the U.S., New Zealand, Hong Kong, Taiwan, South Korea, mainland China, and Cambodia. Earlier this year, researchers linked the group to a supply-chain compromise involving a South Korean VPN provider, which was used to deploy a feature-rich malware family known as SlowStepper.

Like other Chinese state-aligned espionage clusters, PlushDaemon frequently uses AitM poisoning to establish footholds in victim environments. The process often begins with the compromise of network edge equipment, such as routers, through unpatched vulnerabilities or weak authentication.

Once deployed on a compromised device, EdgeStepper:

  • Redirects DNS requests to an attacker-controlled DNS server
  • Identifies requests associated with specific software update channels
  • Responds with the IP address of a malicious distribution server

In some cases, both the DNS manipulation and payload hosting occur on the same attacker-controlled system.

PlushDaemon’s attacks specifically target update mechanisms of Chinese software, including popular applications like Sogou Pinyin. Once a target’s update traffic is redirected, victims unknowingly download a trojanized DLL, referred to as LittleDaemon.

LittleDaemon acts as a first-stage loader, checking whether the SlowStepper backdoor is already present. If not, it downloads a secondary payload nicknamed DaemonicLogistics, whose primary role is to retrieve and launch SlowStepper.

SlowStepper capabilities include:

  • System reconnaissance
  • File exfiltration
  • Credential theft from major web browsers
  • Data extraction from messaging apps
  • Self-removal when necessary

Together, these components allow PlushDaemon to maintain persistent access to targets across multiple sectors and geographic regions.

 

References:

https://www.bleepingcomputer.com/news/technology/cloudflare-blames-this-weeks-massive-outage-on-database-issues/

https://www.theregister.com/2025/11/19/whatsapp_enumeration_flaw/

https://www.securityweek.com/largest-azure-ddos-attack-powered-by-aisuru-botnet/

https://thehackernews.com/2025/11/edgestepper-implant-reroutes-dns.html

Share post:

Take the next step to
engage with Canary Trap

If you require our cybersecurity services please share your details below and we will be in touch!

Popup Form

  • This field is for validation purposes and should be left unchanged.

MISSISSAUGA (CAN HQ)

  • 2425 Matheson Boulevard East
  • 8th Floor
  • Mississauga, Ontario
  • L4W 5K4

BUFFALO (USA HQ)

  • 50 Fountain Plaza
  • Suite 1400
  • Buffalo, New York
  • 14202

WINNIPEG

  • 201 Portage Avenue
  • 18th Floor
  • Winnipeg, Manitoba
  • R3B 3K6

TAMPA

  • 4830 West Kennedy Boulevard
  • Suite 600
  • Tampa, Florida
  • 33609

© 2026 Canary Trap. All rights reserved | Privacy Policy To Top