Ulbricht as bait, a new DDoS record, and other cybersecurity news

We compiled the week’s most important cybersecurity news.

News about Ross Ulbricht became the lure for a fresh malware campaign

Attackers exploited reports of the release from prison of Silk Road darknet market founder Ross Ulbricht to draw users into fraudulent Telegram channels. The attack was spotted by vx-underground.

Ross Ulbricht’s Xitter is being spammed with accounts which appear to be associated with him (image 1). However, the accounts are not. When you try to view the “official” Ross Ulbricht Telegram channel it asks to verify your identity (image 2).

It gives free malware! ♥️♥️♥️ pic.twitter.com/PWHm7Nlsf2

— vx-underground (@vxunderground) January 22, 2025

Those who click the link face a fake verification request via a mini app. It tricks them into running PowerShell code that installs remote-access malware, which can then be used for extortion or data theft.

A Telegram representative told Bleeping Computer the platform monitors public-facing areas and removes malicious content when found.

A record DDoS attack hit 5.6 Tbps

Cloudflare mitigated a new hyper-volumetric DDoS attack that lasted 80 seconds and peaked at 5.6 Tbps. The incident occurred on October 29, 2024, but has only now been disclosed.

The UDP-based attack was launched by a Mirai-based botnet of 13,000 compromised devices. The target was an internet service provider in East Asia.

Detection and mitigation were fully autonomous.

Cloudflare had previously mitigated a record DDoS of 3.8 Tbps lasting 65 seconds in early October 2024. 

The Mamont virus spread on Telegram under the guise of video downloads

Russia’s Interior Ministry warned of Mamont malware being distributed via Telegram; it can read push notifications, SMS messages and photos from a gallery.

Most often, the Trojan-laced app is sent disguised as a video file. 

The ultimate goal is to gain access to payment instruments and potentially use personal data and other information from the smartphone. 

Mamont can also auto-forward the malicious file to all contacts on Telegram.

A Cloudflare vulnerability exposed user geolocation via an image

A researcher known as hackermondev discovered a flaw in Cloudflare’s CDN that allows tracking users’ approximate locations by sending them an image and then analysing which servers cached it. Among services suitable for the attack are the private messenger Signal and the Discord platform. 

https://t.co/1yLNEPKcGg

— daniel (@hackermondev) January 21, 2025

Typically, to speed up media delivery Cloudflare caches assets via the nearest data centers to the user. But an error in the Workers platform lets an attacker force specific ones to handle the request. Responses obtained via the custom Cloudflare Teleport tool include the code of the airport nearest to the data center.

Tracking accuracy is 50–300 miles (80–480 km), depending on the region and the number of Cloudflare data centers nearby.

Because many apps automatically fetch images for push notifications, a target can be tracked without interaction. 

Hackermondev shared the findings with Cloudflare, Signal and Discord. Cloudflare said it had fixed the issue and paid the researcher $200. The other two said implementing anonymity at the network level lies outside their mission.

Viber was ordered to share information with the FSB

On January 21, Roskomnadzor added Viber’s developer, Luxembourg-based Viber Media S.a.r.l., to the register of ORI. Inclusion on the list imposes obligations to exchange information with law enforcement.

Viber must now store users’ messages in Russia for six months and provide the FSB with their passport data, logins, accounts in third-party services, IP addresses and other details. 

Yet since mid-December 2024, access to the messenger for Russian users has been restricted.

Rostelecom confirmed a data leak at a contractor

The Silent Crow group claimed it hacked Rostelecom by stealing databases from company.rt.ru and zakupki.rostelecom.ru. This was reported by the Telegram channel “Data leaks”.

As evidence, the attackers provided several tables listing registered users and their submissions via the website form. The information is dated September 20, 2024. 

The dumps contain 154,000 unique email addresses and 101,000 phone numbers.

Rostelecom told Kommersant the leak came from a contractor’s infrastructure. The company is examining the databases but said no especially sensitive information was affected. 

Even so, users were advised to reset passwords and enable two-factor authentication where possible.

Also on ForkLog:

• WazirX will discuss compensation with clients affected by the hack.
• Losses from the Phemex exchange hack exceeded $70 million. North Korean hackers were suspected.
• The X account of Nasdaq was hacked to pump a fake memecoin.
• A court overturned sanctions against the Tornado Cash mixer.
• Market maker CLS Global admitted to fake trading of an AI token to the FBI.
• Linea filtered out more than half a million Sybil addresses ahead of its airdrop.
• Cuba’s “official” memecoin turned out to be a scam.
• In Kazakhstan, the operators of an exchange received prison terms with confiscation.
• A controversial activist dumped 50% of the supply of the TIKTOK memetoken.

What to read this weekend?

We explain Crimeware-as-a-Service—illegal cyberattack services offered by subscription.