News & Commentary

Another Cloudflare outage takes down parts of the internet 🌐

Who here tried and failed to access ChatGPT or X early Tuesday morning? 🫣

One of the internet’s core infrastructure providers, Cloudflare, experienced a…hiccup…which took down sites like X, ChatGPT, and Canva. It was such a widespread outage that Downdetector logged more than 11,000 user-reported issues at the peak of the outage.

The good(?) news? A cyberattack isn’t to blame this time around.

An automatically generated config file designed to protect against threats is to blame. Seems that file got a wee bit too big and crashed the software system responsible for handling traffic across multiple Cloudflare services. 😅

As the news made its rounds, industry experts spoke out and highlighted the pitfalls of centralized infrastructure. Tim Erline, a security strategist at Wallarm, summed up the sentiment nicely:

We defenders can sometimes get caught up in defending against external threats — only to overlook a bloated config file that wreaks havoc for our operations. And in Cloudflare’s case, the oversight impacted nearly a quarter of all internet traffic.

It’s a good reminder for us defenders to decentralize what we can to minimize single-point-of-failure scenarios.

Sneaky 2FA adds Browser-in-the-Browser attacks to their arsenal 🚩

The threat actors responsible for Sneaky 2FA, a Phishing-as-a-Service (PhaaS) kit, have upgraded their techniques.

They’re baking in Browser-in-the-Browser (BitB) attacks to their phishing campaigns. In case you’ve never heard of them, BitB attacks are designed to make an illegitimate browser window appear within your actual browser for credential harvesting purposes. And with a little HTML and CSS pizzazz, a nefarious authentication window can look identical to a legitimate one:

Notice the browser bar and HTTPS indicators in both images. They both look legit, right? But if you enter your credentials into the fake auth window, you’ll be handing the keys to your account over to hackers.

And in the case of Sneaky 2FA, the phishing kit also includes built-in safeguards to avoid detection: bot filters, domain rotation, obfuscation, and a few anti-analysis tricks. They’ve really thought this kit through.

Don’t you miss the days when you could easily spot a phishing attempt through typos in an email? 😅

Microsoft confirms (and mitigates) a record-breaking DDoS attack 💀

Warning: You’re about to read some numbers that are going to make you do a double take. 😅

Microsoft recently disclosed a wild DDoS attack that peaked at — here goes —15.72 terabits and 3.64 billion packets per second. The attack, powered by the AISURU botnet (and 500,000+ source IPs), targeted a single public-facing IP address in Australia. And while Microsoft didn’t disclose specifics about the victim, the AISURU botnet is known to go after online gaming targets.

Here’s the kicker about the AISURU botnet — nearly 300,000 infected devices power it, and those are largely IoT devices: routers, security cameras, and DVR systems. So as internet speeds increase, it’s likely that the scale of DDoS attacks will follow.

Sponsor

7 Security Best Practices for MCP

Learn what security teams are doing to protect MCP without slowing innovation.

As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.

The MCP Security Best Practices Cheat Sheet outlines seven proven steps teams can put in place right away, including:

• How to lock down MCP servers and supply chains

• Enforcing least-privilege access for tokens and tools

• Adding human-in-the-loop safeguards for critical actions

Email being clipped?

Here’s some actually helpful advice: You can view the email in your browser: https://johnhammond.beehiiv.com/p/cybersecurity-shenanigans-018.

(And as always, thanks for nothing, Clippy. 💙)

Just Hacking Training 🤓
November Announcements

🦃 Black Friday Is Here Early 🦃 

Use code BlackFriday25 NOW for 25% off ALL courses on justhacking.com (including Constructing Defense 2025)! Excludes already discounted Bundles. Expires Midnight ET on November 30.

📣 What’s Your Story? Contest 📣 

Have a conversation with John Hammond and Rob Fuller on the transition from military life to a career in cybersecurity exclusively on LinkedIn

Instead of just saying 'thanks for your service' on this Veterans Day, we want to help our brave men and women.

Head over to our LinkedIn post and share your story, offer advice, post open jobs, provide practical guidance, and interact with others’ comments.

The most engaging story as judged by John and Rob will win a free course from us and will be announced on John’s Livestream Friday, November 21 at 1:00 PM ET.

John and Rob will also be available for the entire hour for a Career Q&A.

See you in the comments! ⬇️

Want Just Hacking Training LIVE at your event or a dedicated class just for your organization from one or many of our 30+ All-Stars? Let's talk! Bulk discounts available. Email [sales(at)justhacking.com].

New Releases

Thanks for choosing us! 🙏 We’re continuing to grow fast, and we wouldn’t be here without you and the greater community.

Just Hacking Training is a platform providing "Focused Technical Training for All Levels" in 80+ affordable, hands-on options in 4 categories: Courses, Free Upskill Challenges, Hack-Alongs and CTFs. Wherever possible, JHT includes cloud-based, cyber ranges to safely practice what is taught. With new content released twice a month throughout 2025, bi-monthly livestreams with John Hammond and our All-Star contributors and even some “Name Your Price” options, JHT will advance your career regardless of experience level or budget.

I spent Halloween in the Windy City at BSidesChicago! Met up with some great friends from the Just Hacking Training team for some hacking fun. Together, we covered Script-Based Malware Analysis, Level Up OSINT, and Hardware Hacking 101.

All three of us were fortunate enough to present to packed rooms — thank you for hanging out with us! 🙏🏻

Feels like we’re in a groove with this thing! I invite you to help me shake it up.

Please reply to this email and let me know what you’re loving — and what you’d love to see in the next edition.

Thank you!