securityweek.com ByIonut Arghire| September 2, 2025 (11:02 AM ET)
Updated: September 3, 2025 (2:45 AM ET)

Cloudflare on Monday said it blocked the largest distributed denial-of-service (DDoS) attack ever recorded, at 11.5 Tbps (Terabits per second).

In a short message on X, Cloudflare only shared that the attack was a UDP flood mainly sourced from Google Cloud infrastructure, which lasted approximately 35 seconds.

“Cloudflare’s defenses have been working overtime. Over the past few weeks, we’ve autonomously blocked hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps. The 11.5 Tbps attack was a UDP flood that mainly came from Google Cloud,” the company said.

In a Tuesday update, Cloudflare said that Google Cloud was one source of attack, but not the majority, and that several IoT and cloud providers were used to launch the assault.

“Defending against this class of attack is an ongoing priority for us, and we’ve deployed numerous strong defenses to keep users safe, including robust DDoS detection and mitigation capabilities,” a Google Cloud spokesperson told SecurityWeek.

“Our abuse defenses detected the attack, and we followed proper protocol in customer notification and response. Initial reports suggesting that the majority of traffic came from Google Cloud are not accurate,” the spokesperson said.

A UDP flood attack consists of a high volume of UDP (User Datagram Protocol) packets being sent to a target, which becomes overwhelmed and unresponsive when attempting to process and respond to them.

Because UDP packets are small and the receiver spends resources trying to process them, the attackers also increased the packet rate to 5.1 Bpps (billion packets per second) to deplete those resources and take down the target.

This record-setting DDoS attack takes the lead as the largest in history roughly three months after Cloudflare blocked a 7.3 Tbps DDoS attack.

Seen in mid-May, the assault targeted a hosting provider and lasted for only 45 seconds. Approximately 37.4 Tb of traffic, or the equivalent of over 9,000 HD movies, was delivered in the timeframe.

The same as the newly observed attack, the May DDoS assault mainly consisted of UDP floods. It originated from over 122,000 IP addresses.

Cloudflare mitigated 27.8 million DDoS attacks in the first half of 2025, a number that surpassed the total observed in 2024 (21.3 million HTTP and Layer 3/4 DDoS attacks).

*Updated with statement from Google Cloud Cloudflare

securityweek.com ByIonut Arghire| August 22, 2025 - MITRE has updated the list of Most Important Hardware Weaknesses to align it with evolving hardware security challenges.

The non-profit MITRE Corporation this week published a revised CWE Most Important Hardware Weaknesses (MIHW) to align it with the evolution of the hardware security landscape.

Initially released in 2021, the CWE MIHW list includes frequent errors that lead to critical hardware vulnerabilities, and is meant to raise awareness within the community, to help eradicate hardware flaws from the start.

The updated list includes 11 entries and comes with new classes, categories, and base weaknesses, but retains five of the entries that were included in the 2021 CWE MIHW list. It shows a focus on resource reuse, debug mode bugs, and fault injection.

‘CWE-226: Sensitive Information in Resource Not Removed Before Reuse’ is at the top of MITRE’s 2025 CWE MIHW list.

It refers to resources that are released and may be made available for reuse without being properly cleared. If memory, for example, is not cleared before it is made available to a different process, data could become available to less trustworthy parties.

“This weakness can apply in hardware, such as when a device or system switches between power, sleep, or debug states during normal operation, or when execution changes to different users or privilege levels,” CWE-226’s description reads.

Second on the revised list is ‘CWE-1189: Improper Isolation of Shared Resources on System-on-a-Chip (SoC)’, which was at the top four years ago.

Other entries that were kept from the previous version of the list include ‘CWE-1191: On-Chip Debug and Test Interface With Improper Access Control’, ‘CWE-1256: Improper Restriction of Software Interfaces to Hardware Features’, ‘CWE-1260: Improper Handling of Overlap Between Protected Memory Ranges’, and ‘CWE-1300: Improper Protection of Physical Side Channels’.

“These entries represent persistent challenges in hardware security that are both theoretically significant and commonly observed in practice. Their continued inclusion, even with the shift to a hybrid expert and data-driven selection process, underscores their ongoing importance,” MITRE notes.

Of the six new CWEs that made it to the revised MIHW list, two were added to the CWE after the 2021 MIHW list was released.

In addition to the 11 weaknesses included in the main MIHW list, MITRE warns of five others that are also highly important and could lead to serious security defects. These include four entries that were in the previous iteration of the list.

“Hardware weaknesses propagate upward: once embedded in silicon, they constrain software, firmware, and system-level mitigations. Engineers working at higher layers need to understand that some risks are inherited and may never be fully remediated at their level. That makes transparency from vendors, independent evaluation ecosystems, and better incentives for proactive security in design critical,” NCC Group managing security consultant Liz James said.

securityweek.com - August 2025 ICS Patch Tuesday advisories have been published by Siemens, Schneider, Aveva, Honeywell, ABB and Phoenix Contact.

August 2025 Patch Tuesday advisories have been published by several major companies offering industrial control system (ICS) and other operational technology (OT) solutions.

Siemens has published 22 new advisories. One of them is for CVE-2025-40746, a critical Simatic RTLS Locating Manager issue that can be exploited by an authenticated attacker for code execution with System privileges.

The company has also published advisories covering high-severity vulnerabilities in Comos (code execution), Siemens Engineering Platforms (code execution), Simcenter (crash or code execution), Sinumerik controllers (unauthorized remote access), Ruggedcom (authentication bypass with physical access), Simatic (code execution), Siprotect (DoS), and Opcenter Quality (unauthorized access).

Siemens also addressed vulnerabilities introduced by the use of third-party components, including OpenSSL, Linux kernel, Wibu Systems, Nginx, Nozomi Networks, and SQLite.

Medium- and low-severity issues have been resolved in Simotion Scout, Siprotec 5, Simatic RTLS Locating Manager, Ruggedcom ROX II, and Sicam Q products.

As usual, Siemens has released patches for many of these vulnerabilities, but only mitigations or workarounds are available for some of the flaws.

Schneider Electric has released five new advisories. One of them describes four high-severity vulnerabilities in EcoStruxure Power Monitoring Expert (PME), Power Operation (EPO), and Power SCADA Operation (PSO) products. Exploitation of the flaws can lead to arbitrary code execution or sensitive data exposure.

In the Modicon M340 controller and its communication modules the industrial giant fixed a high-severity DoS vulnerability that can be triggered with specially crafted FTP commands, as well as a high-severity issue that can lead to sensitive information exposure or a DoS condition.

In the Schneider Electric Software Update tool, the company patched a high-severity vulnerability that can allow an attacker to escalate privileges, corrupt files, obtain information, or cause a persistent DoS.

Medium-severity issues that can lead to privilege escalation, DoS, or sensitive credential exposure have been patched in Saitel and EcoStruxure products.

Honeywell has published six advisories focusing on building management products, including several advisories that inform customers about Windows patches for Maxpro and Pro-Watch NVR and VMS products. The company has also released advisories covering PW-series access controller patches and security enhancements.

Aveva has published an advisory for two issues in its PI Integrator for Business Analytics. Two vulnerabilities have been patched: one arbitrary file upload issue that could lead to code execution, and a sensitive data exposure weakness.

ABB told customers on Tuesday about several vulnerabilities affecting its Aspect, Nexus and Matrix products. Some of the flaws can be exploited without authentication for remote code execution, obtaining credentials, and to manipulate files and various components.

Phoenix Contact has informed customers about a privilege escalation vulnerability in Device and Update Management. The company has described it as a misconfiguration that allows a low-privileged local user to execute arbitrary code with admin privileges. Germany’s CERT@VDE has also published a copy of the Phoenix Contact advisory.

The US cybersecurity agency CISA has published three new advisories describing vulnerabilities in Santesoft Sante PACS Server, Johnson Controls iSTAR, and Ashlar-Vellum products. CISA has also distributed the Aveva advisory and one of the Schneider Electric advisories.

A few days prior to Patch Tuesday, Rockwell Automation published an advisory informing customers about several high-severity code execution vulnerabilities affecting its Arena Simulation product.

Also prior to Patch Tuesday, Mitsubishi Electric released an advisory describing an information tampering flaw in Genesis and MC Works64 products.

securityweek.com - Rockwell Automation has published several advisories describing critical and high-severity vulnerabilities affecting its products.
Rockwell Automation this week published several advisories describing critical- and high-severity vulnerabilities found recently in its products.

The industrial automation giant has informed customers about critical vulnerabilities in FactoryTalk, Micro800, and ControlLogix products.

In the FactoryTalk Linx Network Browser the vendor fixed CVE-2025-7972, a flaw that allows an attacker to disable FTSP token validation, which can be used to create, update, and delete FTLinx drivers.

In the case of Micro800 series PLCs, Rockwell resolved three older vulnerabilities affecting the Azure RTOS open source real-time operating system. The security holes can be exploited for remote code execution and privilege escalation. In addition to the Azure RTOS issues, the company has addressed a DoS vulnerability.

In ControlLogix products Rockwell patched a remote code execution vulnerability tracked as CVE-2025-7353.

The list of high-severity flaws includes two DoS issues in FLEX 5000, a code execution vulnerability in Studio 5000 Logix Designer, web server issues in ArmorBlock 5000, a privilege escalation in FactoryTalk ViewPoint, and an information exposure issue in FactoryTalk Action Manager.

None of these vulnerabilities have been exploited in the wild, according to Rockwell Automation.

The cybersecurity agency CISA has also published advisories for these vulnerabilities to inform organizations about the potential risks.

securityweek.com - LG Innotek LNV5110R security cameras are affected by a vulnerability that can be exploited for unauthenticated remote code execution.

Hundreds of LG security cameras are vulnerable to remote hacking due to a recently discovered flaw and they will not receive a patch.

The cybersecurity agency CISA revealed on Thursday that LG Innotek LNV5110R cameras are affected by an authentication bypass vulnerability that can allow an attacker to gain administrative access to the device.

The flaw, tracked as CVE-2025-7742 and assigned a ‘high severity’ rating, can allow an attacker to upload an HTTP POST request to the device’s non-volatile storage, which can result in remote code execution with elevated privileges, according to CISA.

LG Innotek has been notified, but said the vulnerability cannot be patched as the product has reached end of life.

Souvik Kandar, the MicroSec researcher credited by CISA for reporting the vulnerability, told SecurityWeek there are roughly 1,300 cameras that are exposed to the internet and which can be remotely hacked.

securityweek.com - The MITRE AADAPT framework provides documentation for identifying, investigating, and responding to weaknesses in digital asset payments.

The non-profit MITRE Corporation on Monday released Adversarial Actions in Digital Asset Payment Technologies (AADAPT), a cybersecurity framework designed to help the industry tackle weaknesses in cryptocurrency and other digital financial systems.

Modeled after the MITRE ATT&CK framework, AADAPT delivers a structured methodology that developers, financial organizations, and policymakers can use to find, investigate, and address risks in digital asset payments.

Insights that more than 150 sources from academia, government, and industry provided on real-world attacks on digital currencies and related technologies were used to create a playbook of adversarial TTPs linked to digital asset payment technologies.

The increased use of cryptocurrency has led to the emergence of sophisticated threats, such as phishing schemes, ransomware campaigns, and double-spending attacks, often with severe impact on organizations that lack cybersecurity resources, such as local governments and municipalities.

AADAPT is meant to help them enhance their stance through practical guidance and tools that specifically cover this financial market segment.

According to MITRE, AADAPT was founded on an in-depth review of underlying technologies such as smart contracts, distributed ledger technology (DLT) systems, consensus algorithms, and quantum computing, along with vulnerabilities and credible attack methods.

The tool supports critical use cases to help develop analytics for emulating threats, create detection techniques, compare insights, and assess security capabilities to prioritize decisions, essentially assisting stakeholders in adopting best practices.

“Digital payment assets like cryptocurrency are set to transform the future of global finance, but their security challenges cannot be ignored. With AADAPT, MITRE is empowering stakeholders to adopt robust security measures that not only safeguard their assets but also build trust across the ecosystem,” MITRE VP Wen Masters said.

Cyberattack disrupted UNFI’s operations in June; company estimates $50–$60 million net income hit but anticipates insurance will cover most losses.

United Natural Foods, Inc. (NYSE: UNFI), the main distributor for Amazon’s Whole Foods, said the June 2025 cyberattack that caused disruptions to business operations will impact fiscal 2025 net sales by an estimated $350 to $400 million.

In an update on Wednesday, the Rhode Island-based natural food products giant said “anticipated insurance” proceeds would significantly offset those loses.

“The Company estimates that the cyber incident will impact fiscal 2025 net sales by approximately $350 to $400 million, net (loss) income by $50 to $60 million, which includes the estimated tax impact, and adjusted EBITDA by approximately $40 to $50 million,” the company said in a business update on July 16th. “These estimates do not reflect the benefit of anticipated insurance proceeds, which the Company expects will be adequate for the incident. The Company does not currently expect a meaningful operational or financial impact beyond the fourth quarter of fiscal 2025 aside from insurance reimbursement.”

The company revealed in a filing with the SEC on June 9 that it had detected unauthorized activity on some IT systems on June 5. In response to the intrusion, certain systems were taken offline, which impacted its ability to fulfill and distribute customer orders.

UNFI advertises itself as the largest full-service grocery partner in North America, delivering products to over 30,000 locations, including natural product superstores, conventional supermarket chains, e-commerce providers, and independent retailers. With more than $30 billion in annual revenue, the company offers more than 250,000 natural, organic and conventional SKUs through its more than 50 distribution centers.

“We are grateful to our customers, suppliers, and associates for their resilience and collaboration as we worked through a challenging period for all of us. With our operations returning to more normalized levels, we remain focused on adding value for our customers and suppliers while becoming a more efficient and effective partner,” said Sandy Douglas, UNFI’s CEO.

The Company updated its full-year outlook to reflect its strong performance for the first three fiscal quarters of 2025 and the estimated costs and charges associated with the June cyber incident.

securityweek.com - DragonForce says it stole more than 150 gigabytes of data from US department store chain Belk in a May cyberattack

The DragonForce ransomware gang has claimed responsibility for a disruptive cyberattack on US department store chain Belk.

The incident was identified on May 8 and prompted Belk to disconnect affected systems, restrict network access, reset passwords, and rebuild impacted systems, which disrupted the chain’s online and physical operations for several days. The company’s online store is still offline at the time of publication.

Belk’s investigation into the attack determined that hackers had access to its network between May 7 and May 11, and that they exfiltrated certain documents, including files containing personal information.

In a data breach notification submitted to the New Hampshire Attorney General’s Office, Belk said at least names and Social Security numbers were compromised in the attack.

The company is providing the impacted individuals with 12 months of free credit monitoring and identity restoration services, which also include up to $1 million identity theft insurance.

The company has not named the group responsible for the attack, but the DragonForce ransomware gang has claimed the incident on Monday, adding Belk to its Tor-based leak site.

The Irish Data Privacy Commission announced that TikTok is facing a new European Union privacy investigation into user data sent to China.

TikTok is facing a fresh European Union privacy investigation into user data sent to China, regulators said Thursday.

The Data Protection Commission opened the inquiry as a follow up to a previous investigation that ended earlier this year with a 530 million euro ($620 million) fine after it found the video sharing app put users at risk of spying by allowing remote access their data from China.

The Irish national watchdog serves as TikTok’s lead data privacy regulator in the 27-nation EU because the company’s European headquarters is based in Dublin.

During an earlier investigation, TikTok initially told the regulator it didn’t store European user data in China, and that data was only accessed remotely by staff in China. However, it later backtracked and said that some data had in fact been stored on Chinese servers. The watchdog responded at the time by saying it would consider further regulatory action.

“As a result of that consideration, the DPC has now decided to open this new inquiry into TikTok,” the watchdog said.

“The purpose of the inquiry is to determine whether TikTok has complied with its relevant obligations under the GDPR in the context of the transfers now at issue, including the lawfulness of the transfers,” the regulator said, referring to the European Union’s strict privacy rules, known as the General Data Protection Regulation.

TikTok, which is owned by China’s ByteDance, has been under scrutiny in Europe over how it handles personal user information amid concerns from Western officials that it poses a security risk.

TikTok noted that it was one that notified the Data Protection Commission, after it embarked on a data localization project called Project Clover that involved building three data centers in Europe to ease security concerns.

“Our teams proactively discovered this issue through the comprehensive monitoring TikTok implemented under Project Clover,” the company said in a statement. “We promptly deleted this minimal amount of data from the servers and informed the DPC. Our proactive report to the DPC underscores our commitment to transparency and data security.”

Under GDPR, European user data can only be transferred outside of the bloc if there are safeguards in place to ensure the same level of protection. Only 15 countries or territories are deemed to have the same data privacy standard as the EU, but China is not one of them.

securityweek.com - Nippon Steel Solutions has disclosed a data breach that resulted from the exploitation of a zero-day in network equipment.

Japan-based Nippon Steel Solutions on Tuesday disclosed a data breach that resulted from the exploitation of a zero-day vulnerability.

Nippon Steel Solutions, also called NS Solutions, offers cloud, cybersecurity and other IT solutions. The company is a subsidiary of Japanese steel giant Nippon Steel, which recently acquired US Steel in a controversial deal.

Nippon Steel Solutions said in a statement posted on its Japanese-language website that it detected suspicious activity on some servers on March 7.

An investigation showed that hackers had exploited a zero-day flaw in unspecified network equipment, and gained access to information on customers, partners and employees.

In the case of customers, the attackers may have stolen information such as name, company name and address, job title, affiliation, business email address, and phone number.

The exposed information in the case of partners includes names and business email addresses, while in the case of employees the attackers may have obtained names, business email addresses, job titles, and affiliation.

Nippon Steel Solutions said the information may have been exfiltrated, but to date it has found no evidence of a data leak on the dark web or elsewhere.

The notorious ransomware group BianLian claimed to have stolen hundreds of gigabytes of data from Nippon Steel USA in mid-February, including files related to finances, employees, and production.

The cybercriminals at the time threatened to leak all of the stolen data, but the group went dark a few weeks later.

Nippon Steel does not appear to have confirmed a data breach in response to BianLian’s claims and it’s unclear if the two incidents are related.

SecurityWeek has reached out to NS Solutions for clarifications and will update this