Hello and welcome to the Wednesday, November 19th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu Undergraduate Certificate Program in
Cybersecurity Fundamentals. Brad Duncan today published
another diary with yet another variant of ClickFix. ClickFix,
the CAPTCHA lookalike that tricks victims into copy
-pasting PowerShell commands into their Windows command
line. Well, in this particular case, it's going to lead you
to install Kong Tuke or Kong Tuke. Not sure how to pronounce it.
But this is an example of a traffic direction system or
TDS. This type of malware is a little bit different than what
we often have like info stealers or such. The main
purpose of TDS systems is to give the attacker a platform
to redirect their traffic. So these are typically proxies
and the like that will just forward traffic for the
attacker. They can often be chained for additional
obfuscation of the traffic. And then the networks being
created by the attacker are often also rented out to other
attackers. So it's sort of a basic fundamental part of this
criminal underground economy. And a couple weeks ago, I
myself counted myself lucky because the Internet Storm
Center website did not use AWS, which had its big outage
a couple weeks ago. Well, this morning, I wasn't that lucky.
We had a big outage of Cloudflare. Cloudflare stopped
working for a few hours in the morning, at least East Coast
time in the morning. Probably Europe or UTC. It was more the
afternoon when this outage happened. And it took them
quite a while to get things back up and going. Given the
scale of Cloudflare, and I don't have the current numbers
handy, but I remember something like 30% of websites
or traffic going through Cloudflare, which seems
plausible. There were a lot of large websites other than
Internet Storm Center that were affected by this. Like,
for example, X and many of the AI chatbots, for example,
ChatGPT, but also Anthropic had some issues because they
are behind Cloudflare. There has been so far a quick note
here by Cloudflare's CTO, Dane Knecht, who stated that this
was, well, for change, not DNS. No, it was just a bad
configuration file. Apparently, one of those
configuration files that's created automatically and,
well, a mistake in the script, and that hasn't really been
specified yet what exactly there happened, created a
corrupt or invalid configuration file that then
led to the outage. This configuration file was related
to the bot prevention, which, of course, a big feature of
Cloudflare and something where I can see how they sort of
consistently update the rules here that they're using in
order to defend against the bots and how this is highly
automated. So you can say it's a little bit of bot versus bot
story here. They promised more details. At this point, I
haven't seen anything official beyond this X post by the CTO.
And Google released a new version of Google Chrome
fixing two type confusion vulnerabilities in V8. V8
being Google Chrome's JavaScript engine. One of
these vulnerabilities is apparently already being
exploited in the wild. So yet another Google Chrome Sarah
Day. Make sure you are restarting Google Chrome once
a day, which for the most part should take care of any
automatic updates. And maybe at least once a week, make
sure with the About page in Google Chrome that you are
actually up to date. Well, and that's it for today. Thanks
for listening. Thanks for liking. Thanks for
subscribing. And also special thanks for anybody leaving
good comments in their favorite podcast platform. And
talk to you again tomorrow. Bye.
