SANS Stormcast Wednesday, November 19th, 2025: Kong Tuke; Cloudflare Outage
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 19 November 2025
⏱️ 5 minutes
🧾️ Download transcript
Summary
KongTuke Activity
This diary investigates how a recent Kong Tuke infections evolved all the way from starting with a ClickFix attack.
https://isc.sans.edu/diary/KongTuke%20activity/32498
Cloudflare Outage
Cloudflare suffered a large outage today after an oversized configuration file was loaded into its bot protection service
https://x.com/dok2001
Google Patches Chrome 0-Day
Google patched two vulnerabilities in Chrome. One of them is already being exploited.
https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_17.html
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Wednesday, November 19th, 2025 edition of the Sands-inand-Storm Center's Stormcast. |
| 0:13.0 | My name is Johannes Ulrich, recording today from Jacksonville, Florida. |
| 0:17.8 | And this episode is brought you by the sands.edu undergraduate certificate program |
| 0:22.1 | in Cybersecurity Fundamentals. |
| 0:26.0 | Brad Duncan today published another diary with yet another variant of ClickFix. |
| 0:31.5 | ClickFix, the Captcha lookalike that tricks victims into copy pastasting PowerShell commands into their Windows command line. |
| 0:41.8 | Well, in this particular case, it's going to lead you to install Kong Tuk or Konduk, |
| 0:48.8 | not sure how to pronounce it, but this is an example of a traffic direction system or TDS. |
| 0:56.3 | This type of malware is a little bit different than what you often have, like Info Steelers or such. |
| 1:02.4 | The main purpose of TDS systems is to give the attacker a platform to redirect their traffic. |
| 1:10.5 | So these are typically proxies and the like that will just forward traffic for the attacker. |
| 1:16.7 | They can often be chained for additional obfuscation of the traffic. |
| 1:21.0 | And then the networks being created by the attacker are often also rented out to other attackers. So it's sort of a |
| 1:30.3 | basic fundamental part of this criminal underground economy. And a couple weeks ago, I myself |
| 1:38.0 | counted myself lucky because the Inland Storm Center website did not use AWS, which had its big outage a couple weeks ago. |
| 1:47.3 | Well, this morning I wasn't that lucky. We had a big outage of Cloudflare. Cloudflare stopped working for a few hours in the morning, at least the East Coast time in the morning, probably Europe or UTC. |
| 2:01.8 | It was more the afternoon when this outage happened, and it took them quite a while to get |
| 2:07.9 | things back up and going. Given the scale of Cloudflare, and I don't have the current |
| 2:13.9 | numbers handy, but I remember something like 30% of websites or traffic going |
| 2:18.8 | through Cloudflare, which seems plausible. There were a lot of large websites other than |
| 2:25.4 | Internet Storm Center that were affected by this, like for example, X and many of the AI chatbots, for example, chat GPT, but also Anthropic had some issues |
| 2:39.0 | because they are behind Cloudflare. |
... |
Transcript will be available on the free plan in 4 days. Upgrade to see the full transcript now.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.