This issue starts with a global police operation took down nearly 600 servers used by cybercriminal groups linked to Cobalt Strike. Cloudflare introduced a tool to prevent AI bots from scraping websites for training data. Recorded Future's Insikt Group uses info-stealing malware logs to identify over 3,000 website members accessing child sexual abuse material (CSAM), the regreSSHion vulnerability leaves millions of OpenSSH servers vulnerable and more.

Cyber-related stories catching our attention:

• Global Police Operation Shuts Down 600 Cybercrime Servers Linked to Cobalt Strike

A global police operation codenamed MORPHEUS has successfully dismantled nearly 600 cybercrime servers linked to the illicit use of the Cobalt Strike framework. Led by the U.K. National Crime Agency and involving authorities from multiple countries, the operation targeted older, unlicensed versions of Cobalt Strike, a tool often abused by cybercriminals and nation-state actors for post-exploitation activities and ransomware deployment. This crackdown highlights the ongoing efforts to combat cybercrime infrastructure, with Europol reporting that 590 out of 690 flagged IP addresses are now offline and reinforces the need for enhanced cybersecurity measures to prevent similar exploitation of legitimate software by malicious entities.

• Cloudflare launches a tool to combat AI bots

Cloudflare has introduced a free tool to combat AI bots scraping websites for data to train AI models. While major AI vendors like Google and OpenAI allow sites to block their bots via robots.txt, not all bots comply. The company’s new tool uses advanced detection models to identify and block evasive AI bots by analyzing their traffic patterns and behavior. This initiative addresses rising concerns from website owners about unauthorized data scraping by AI companies. As the demand for AI training data grows, more sites are blocking AI scrapers, but some vendors bypass these restrictions, posing ongoing challenges. Cloudflare's solution aims to enhance bot detection accuracy and support website owners in protecting their content.

• Infostealer malware logs used to identify child abuse website members

Recorded Future's Insikt Group used information-stealing malware logs to identify 3,324 individuals accessing child sexual abuse material (CSAM) websites, marking a novel law enforcement tool. By analyzing data from malware such as Redline and Raccoon, the company linked stolen credentials to usernames, IP addresses, and system details. This information, shared with law enforcement, facilitates the identification and arrest of suspects. The malware logs, typically containing credentials, browser history, and system information, were cross-referenced with known CSAM domains. Insikt's efforts highlight the potential of leveraging cybercriminal tools to combat child exploitation, with significant implications for law enforcement investigations.

• Millions of OpenSSH Servers Potentially Vulnerable to Remote regreSSHion Attack

Millions of OpenSSH servers are at risk due to the regreSSHion vulnerability (CVE-2024-6387), which allows unauthenticated remote code execution. Discovered by Qualys, this critical flaw in the OpenSSH server process 'sshd' on glibc-based Linux systems could lead to complete system takeovers, enabling malware installation and backdoor creation. Over 14 million potentially vulnerable instances have been identified globally, with around 700,000 exposed systems confirmed by Qualys. This issue, comparable to the severe Log4Shell vulnerability of 2021, stems from a signal handler race condition reintroduced in OpenSSH 8.5p1 in October 2020. Although recently removed in OpenSSH 9.8p1, organizations unable to upgrade should apply forthcoming patches. Qualys has shared technical details and indicators of compromise to aid in detection, but withheld proof-of-concept code to prevent exploitation.

• Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack

Over 110,000 websites using Polyfill.io are compromised following its acquisition by the Chinese company Funnull, which modified the JavaScript library to redirect users to malicious sites. Google blocked ads for affected e-commerce sites and provided mitigation information. Cloudflare and Fastly offered alternative solutions, urging users to abandon Polyfill.io due to the risks of supply chain attacks. The compromised domain has since moved to polyfill.com. This incident underscores vulnerabilities in client-side JavaScript and highlights the critical need for advanced monitoring solutions. Additionally, a related critical flaw, CVE-2024-34102, impacts Adobe Commerce and Magento websites, exacerbating the security threat landscape.