Elon Musk said a “massive cyberattack” disrupted X on Monday and pointed to “IP addresses originating in the Ukraine area” as the source of the attack. Security experts say that's not how it works.

The social network X suffered intermittent outages on Monday, a situation owner Elon Musk attributed to a “massive cyberattack.” Musk said in an initial X post that the attack was perpetrated by “either a large, coordinated group and/or a country.” In a post on Telegram, a pro-Palestinian group known as Dark Storm Team took credit for the attacks within a few hours. Later on Monday, though, Musk claimed in an interview on Fox Business Network that the attacks had come from Ukrainian IP addresses.

Web traffic analysis experts who tracked the incident on Monday were quick to emphasize that the type of attacks X seemed to face—distributed denial-of-service, or DDoS, attacks—are launched by a coordinated army of computers, or a “botnet,” pummeling a target with junk traffic in an attempt to overwhelm and take down its systems. Botnets are typically dispersed around the world, generating traffic with geographically diverse IP addresses, and they can include mechanisms that make it harder to determine where they are controlled from.

“It’s important to recognize that IP attribution alone is not conclusive. Attackers frequently use compromised devices, VPNs, or proxy networks to obfuscate their true origin," says Shawn Edwards, chief security officer of the network connectivity firm Zayo.

X did not return WIRED's requests for comment about the attacks.

Multiple researchers tell WIRED that they observed five distinct attacks of varying length against X's infrastructure, the first beginning early Monday morning with the final burst on Monday afternoon.

The internet intelligence team at Cisco's ThousandEyes tells WIRED in a statement, “During the disruptions, ThousandEyes observed network conditions that are characteristic of a DDoS attack, including significant traffic loss conditions which would have hindered users from reaching the application.”

DDoS attacks are common, and virtually all modern internet services experience them regularly and must proactively defend themselves. As Musk himself put it on Monday, “We get attacked every day.” Why, then, did these DDoS attacks cause outages for X? Musk said it was because “this was done with a lot of resources,” but independent security researcher Kevin Beaumont and other analysts see evidence that some X origin servers, which respond to web requests, weren't properly secured behind the company's Cloudflare DDoS protection and were publicly visible. As a result, attackers could target them directly. X has since secured the servers.

“The botnet was directly attacking the IP and a bunch more on that X subnet yesterday. It's a botnet of cameras and DVRs,” Beaumont says.

A few hours after the final attack concluded, Musk told Fox Business host Larry Kudlow in an interview, “We're not sure exactly what happened, but there was a massive cyberattack to try to bring down the X system with IP addresses originating in the Ukraine area.”

Musk has mocked Ukraine and its president, Volodymyr Zelensky, repeatedly since Russia invaded its neighbor in February 2022. A major campaign donor to President Donald Trump, Musk now heads the so-called Department of Government Efficiency, or DOGE, which has razed the US federal government and its workforce in the weeks since Trump's inauguration. Meanwhile, the Trump administration has recently warmed relations with Russia and moved the US away from its longtime support of Ukraine. Musk has already been involved in these geopolitics in the context of a different company he owns, SpaceX, which operates the satellite internet service Starlink that many Ukrainians rely on.

DDoS traffic analysis can break down the firehose of junk traffic in different ways, including by listing the countries that had the most IP addresses involved in an attack. But one researcher from a prominent firm, who requested anonymity because they are not authorized to speak about X, noted that they did not even see Ukraine in the breakdown of the top 20 IP address origins involved in the X attacks.

If Ukrainian IP addresses did contribute to the attacks, though, numerous researchers say that the fact alone is not noteworthy.

“What we can conclude from the IP data is the geographic distribution of traffic sources, which may provide insights into botnet composition or infrastructure used,” Zayo’s Edwards says. “What we can’t conclude with certainty is the actual perpetrator’s identity or intent.”

_Additional reporting by Zoë Schiffer._

What Really Happened With the DDoS Attacks That Took Down X

Elon Musk has confirmed a massive cyberattack on his social media platform, X (once Twitter), causing widespread technical…

Elon Musk has confirmed a massive cyberattack on his social media platform, X (once Twitter), causing widespread technical problems. Reportedly, it was a well-coordinated effort from a group or country, most likely Ukraine.

A recent disruption to the X platform, formerly known as Twitter, has sparked controversy regarding its cause and origin. The platform experienced extended downtime, prompting its owner, Elon Musk, to claim that a significant cyberattack was responsible.

The attack began on March 10 and continued until 9:30 a.m. ET. Users reported issues accessing X at around 5:30 a.m. ET, followed by another outage at 9:30 a.m. ET and a third significant spike in error complaints around 11 a.m. ET. Some speculate that the X outage may have been caused by a DDOS (Distributed Denial of Service) attack.

In an X post, Musk publicly confirmed that the disruption was the result of a coordinated effort to disable the X system. He further specified that the attack’s originating internet protocol addresses were traced to the region of Ukraine.

“There was (still is) a massive cyberattack against 𝕏,” Musk wrote, adding that “We get attacked every day, but this was done with a lot of resources. Either a large, coordinated group and/or a country is involved. Tracing …”

The service interruptions were not uniform, with users experiencing intermittent outages. These periods of inaccessibility would last for approximately three-quarters of an hour, followed by brief periods of restored service, before the platform would once again become unresponsive. One particularly lengthy outage lasted several hours.

Musk indicated (video) that the scale of the attack suggested a substantial level of organization and resources. He proposed that either a large, coordinated group or potentially a state-sponsored entity was involved.

The claim that the attack originated from Ukraine has drawn scrutiny. Some have suggested that Musk’s political affiliations may have influenced his assessment. Given his alignment with a prominent political figure, and the current political climate surrounding aid to Ukraine, it is believed that the platform could become a target.

Musk also indicated that internal investigations were underway to determine the specifics of the attack. He stated that the platform’s security teams were attempting to trace the attack’s origins and methods.

Musk’s accusations come as President Trump’s administration has been critical of the Ukrainian government and the country’s response to the Russian invasion. This is a developing story, we will update this article as soon as there is any update regarding the investigation.

Determining the true cause of a cyberattack can be a complex and time-consuming process. It may take days, or even weeks, to gather sufficient evidence to identify the source and nature of the disruption definitively.

****DarkStorm Team Claims Responsibility****

While Musk blames Ukraine, the DarkStorm Team has claimed responsibility for the attack on X. ​Dark Storm Team is a group active since 2023, known for its pro-Palestinian stance and alleged ties to Russia. The group has targeted entities in Israel, NATO countries, and Western companies, often employing DDoS attacks to disrupt services.

Musk on Twitter and Dark Storm Team on Telegram

Casey Ellis, Founder at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity commented on the issue stating, “It’s difficult to say with incomplete information, and in the early stages of things, but between the sustained nature of the outage and Dark StormTeam taking credit for it on Telegram, this does appear to be a legitimate cyberattack on X.”

Musk Blames X (Twitter) Outage on Cyberattack, Links It to Ukraine

Threat actors of unknown provenance have been attributed to a malicious campaign predominantly targeting organizations in Japan since January 2025.
"The attacker has exploited the vulnerability CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines," Cisco Talos researcher Chetan Raghuprasad said in a technical

PHP-CGI RCE Flaw Exploited in Attacks on Japan's Tech, Telecom, and E-Commerce Sectors

Martin Lee dives into to the complexities of defending our customers from threat actors and covers the latest Talos research in this week's newsletter.

Thursday, March 6, 2025 14:03

Welcome to this week’s edition of the Threat Source newsletter.

At Talos we bat on behalf of our customers, protecting them against all manner of cyber threats that may affect them. The nature of the threat actor and their origin or affiliation makes no difference; if they are attacking or planning to attack a customer, we do our utmost to stop them.

In practice, identifying the origin of attacks can be surprisingly difficult, much harder than identifying the attack itself.  Attacks do not arrive wrapped in a flag with a certificate of origin. Typically, attackers seek to hide their origin so as to avoid the attention of law enforcement or the international community. However, although not an easy task, the attacker will often unwittingly leave clues to their identity.

We are all creatures of habit; we all have our preferred methods of doing things, tools that we are familiar with, or suppliers that we often choose over another. Threat actors are no different. Over time, the choices made by a threat actor in how they carry out their attacks, the methods they use, and their choice of victims builds to become a characteristic fingerprint.

New attacks can be analysed to identify if their characteristics overlap with those of a known threat actor. If so, we may surmise that the attack has been carried out by that threat actor. Nevertheless, uncovering and understanding the relationship between an attack and the threat actor behind the attack requires detailed research or possibly will only become apparent with the passage of time and the publication of additional information.

Even if an attack can be attributed to a known threat actor, the nature and origin of that threat actor may be obscure. Threat actors rarely admit to their actions and volunteer their identity. A detailed investigation by law enforcement or intelligence agencies may identify an attacker’s identity. Otherwise the security industry refers to known threat actors by various pseudonyms, few of which are definitively tied to one or more named individuals or an organistation. Understanding and communicating degrees of uncertainty when it comes to describing threat actors is a key skill in the threat intelligence community.

Suffice to say that we do not pick and choose the threats that we block. We block them regardless of their origin because this is who we are and what we do, and in any case, identifying the origin of a threat is not a simple matter.

**The one big thing**

Lotus Blossum is a sophisticated threat actor that we’ve uncovered conducting espionage campaigns against the government, manufacturing, telecoms, and media sectors in Vietnam, Hong Kong, Taiwan, and the Philippines. As part of this activity, the threat actor uses the Sagerunex family of backdoor malware for command and control activity. 

**Why do I care?**

Understanding how threat actors such as Lotus Blossom conduct their operations helps inform organisations about the defenses that are required to protect against this and similar threats. Even if you are not working within one of the affected industrial sector, other threat actors may be conducting information stealing campaigns against you.

**So now what?**

Use the IOCs associated with the campaign to search for evidence of incursion within your own organization. Use this exercise as a means of verifying that you have visibility of the systems on your network and that you are able to search for known malicious IOCs.

**  
Top security headlines of the week**

244 million additional compromised passwords from a data dump offered for sale by criminals have been added to the privacy breach notification service “Have I Been Pwned”. (The Register)

A massive botnet consisting of more than 86 000 compromised IoT devices is conducting DDoS attacks against telecom firms and gaming platforms. (Cybersecurity Dive)

The US agency, CISA reports that it will continue to defend against threats including those from Russia. (TheRecord)

****Can’t get enough Talos?****

In The Talos Threat Perspective episode 9, Hazel Burton speaks with Nick Biasini about changes in social engineering techniques.

**Upcoming events where you can find Talos**

RSA (April 28-May 1, 2025)  San Francisco, CA    
CTA TIPS 2025 (May 14-15, 2025) Arlington, VA   
Cisco Live U.S. (June 8 – 12, 2025) San Diego, CA   

**Most prevalent malware files from Talos telemetry over the past week**

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
MD5: 71fea034b422e4a17ebb06022532fdde   
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Typical Filename: VID001.exe    
Detection Name: Simple\_Custom\_Detection

SHA256: 592835f805da0d9a24a5d91a0f77ad9988853da34a97b50e75e77c72573edeac  
MD5: 6361f25ede0442f2e0ad3bcd33c331c8  
Typical Filename: KMSSS.exe  
Detection Name: PUA.Win.Dropper.Hackkms::tpd  
VirusTotal: https://www.virustotal.com/gui/file/592835f805da0d9a24a5d91a0f77ad9988853da34a97b50e75e77c72573edeac

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
Typical Filename: img001.exe  
Detection Name: Win.Trojan.Miner-9835871-0  
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

Who is Responsible and Does it Matter?

Cisco Talos has discovered an active exploitation of CVE-2024-4577 by an attacker in order to gain access to the victim's machines and carry out post-exploitation activities.

Unmasking the new persistent attacks on Japan

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws impacting software from Cisco, Hitachi Vantara, Microsoft Windows, and Progress WhatsUp Gold to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The list of vulnerabilities is as follows -

CVE-2023-20118 (CVSS score: 6.5) - A command injection

Cisco, Hitachi, Microsoft, and Progress Flaws Actively Exploited—CISA Sounds Alarm

San Francisco, California, 3rd March 2025, CyberNewsWire

**San Francisco, California, March 3rd, 2025, CyberNewsWire**

With the growing importance of security compliance for startups, more companies are seeking to achieve and maintain compliance with frameworks like SOC 2, ISO 27001 & GDPR. Bubba AI, Inc. is building a comprehensive solution for these organizations to easily integrate compliance workflows and build their own customized processes through an open-source alternative to existing GRC (Governance, Risk, and Compliance) automation platforms.

The company is positioning itself to address the compliance needs of organizations ranging from early-stage startups to established enterprises. Bubba AI’s flagship product, Comp AI, offers a built-in risk register, and policies required for frameworks while also allowing companies to build their compliance workflows using building blocks provided by the platform.

**Introducing Comp AI**

Comp AI is an open-source alternative to GRC automation platforms like Vanta and Drata. The platform includes several key features designed to automate compliance with frameworks such as SOC 2:

*   A built-in risk register to help companies identify, document, and assess potential security risks
*   Out-of-the-box security policies for modern companies, complete with an AI-powered editor for customization
*   A comprehensive vendor management suite for tracking, assessing, and identifying third-party vendors
*   Automated evidence-collection tools that reduce the manual burden of compliance documentation

The open source nature of Comp AI differentiates it from existing solutions in the market, allowing for greater community involvement, customization, and cost savings for companies on their compliance journey.

**The Value of Open Source Compliance Solutions**

Bubba AI was founded in late 2024 by Lewis Carhart. Carhart recognized a significant gap in the market for affordable, flexible compliance automation tools that could serve the needs of a wide range of companies.

> “While building at previous companies, I experienced firsthand how painful and resource-intensive the compliance process can be, especially for smaller organizations. The existing solutions were either prohibitively expensive or lacked the flexibility we needed. I wanted to create an open source platform that democratizes access to compliance automation”, Lewis Carhart commented.

This experience led Carhart to develop Comp AI as an open source alternative that could help organizations of all sizes achieve SOC 2 compliance without breaking the bank or getting locked into proprietary systems.

**The Ambitious Goal**

Bubba AI has set an ambitious target: helping 100,000 companies achieve compliance with cyber security frameworks like SOC 2, ISO 27001 & GDPR by 2032. This goal reflects the growing importance of security certifications as businesses increasingly handle sensitive customer data and face stricter regulatory requirements.

> “We believe that strong security practices shouldn’t be a luxury that only well-funded companies can afford. By providing an open source solution, we’re removing barriers to entry and empowering organizations to build robust security programs regardless of their size or resources”, said Lewis Carhart.

The company plans to build a community around its open-source platform, encouraging contributions and extensions that can benefit the broader business ecosystem.

**About Bubba AI**

Bubba AI, Inc. was founded at the end of 2024. Its mission is clear: help 100,000 companies get compliant with common cyber security frameworks by 2032. To do this, Bubba AI, Inc. is launching its first product – Comp AI, an open-source alternative to Vanta & Drata.

**Contact**

**Founder**  
**Lewis Carhart**  
**Bubba AI, Inc.**  
**\[email protected\]**

Bubba AI, Inc. is launching Comp AI to help 100,000 startups get SOC 2 compliant by 2032.

Joe has some advice for anyone experiencing self doubt or wondering about their next career move. Plus, catch up on the latest Talos research on scams targeting sellers, and the Lotus Blossom espionage group.

Thursday, February 27, 2025 14:03

Welcome to this week’s edition of the Threat Source newsletter. 

Hello again my friends! Geez, it’s been a year am I right? Lemons its February you say?! Oof.  

Imposter syndrome. You’ve heard the term I’m sure, but what is it? Basically: imposter syndrome is the persistent feeling of self-doubt and fear of being exposed as a fraud despite clear evidence of competence and success. In cybersecurity, and in _especially_ in Talos, you will find imposter syndrome in abundance.

In Talos you’re in rooms of incredibly bright and smart people. They are paragons of what it is to be hackers, and you cannot help but often admire the amazing quality of their work. It is truly an amazing team that does important work to help save the world from the bad guys.  

The downside? _You’re in a room of bright and smart people._ Some can reverse malware binaries while juggling chainsaws. Some are polyglots who can at length tell you the linguistic nuances of Mesopotamian verbs and loanwords and have eidetic memory of every ransomware cartel ever. I personally know one is an amazing, accredited musician and actually hacked a prison to open its jail cells on a pentest. 

How do you not compare yourself to the talents, skills, and achievements of wonderfully smart and talented people? It’s tough not to. Comparison is truly the thief of joy.  

The truth is – in cybersecurity and in places like Talos and elsewhere, you will be constantly assailing yourself with self-doubt of achievement and belonging. The anxiety, stress, and burnout from imposter syndrome are a real thig.  

So what do we do? First, look at your achievements. You are where you are because others saw value in your work. Second, challenge those negative self-thoughts. Easier said than done, I know, but hear me out. Use mentors and peer group support to help challenge those negative self-thoughts.

And lastly, _be kind to yourself._ Cybersecurity is a hard gig. It’s a gigantic amount of technical and non-technical information and we all feel the pressure to absorb, understand, and master it and all its nuances. That’s not possible of course, but we cyber folks are wired differently. If you can walk away with 1% more information than you had yesterday, that’s a win. Take it. Just be kind to yourself, ok? 

I want to take a moment to address a specific audience of readers. All the U.S.  federal workers who have been affected by reduction in force (RIFs), my heart goes out to you. This is an unearned hardship. I wish I had a magic wand to wave to alleviate the stress and trauma of a sudden event like this. I know it’s truly awful. If I can offer any guidance or mentorship for private sector cybersecurity, reach out. I may not have all the answers, but I will do what I can. Stay strong.  

**The one big thing**

Boy howdy is this a big one – scams! Look, the average person isn’t going to get smoked by Salt/Volt Typhoon, or wrestle with a financial threat actor like a ransomware cartel. But you absolutely have bought and sold things online.  We break down seller abuse – that is, ways to trick sellers into be defrauded out of money. We always picture scams as the seller doing the defrauding, but the reverse is just as true.  

**Why do I care?**

You want to keep money in your pocket, and not be the victim of a scam. They adversaries here know the systems they are manipulating quite well here and have fine tuned the art of fraud. It’s important to understand the seller experience as much as the buyer experience in order understand these kinds of frauds and thefts.

**So now what?**

Understand the threat landscape for seller/buyer fraud, and hopefully this work can help keep money in your pocket and not a victim of theft. Pay attention to URL’s you’re asked to click, and clever re-directs to scamming websites. Now you know. And as G.I. Joe said – knowing is half the battle.  

**Top security headlines of the week**

Sensitive financial and health data belonging to millions of veterans and stored on a benefits website is at risk of being stolen or otherwise compromised, according to a federal employee tasked with cybersecurity who was recently fired as part of massive government-wide cuts. (AP News) 

Attackers are wielding a novel Linux backdoor against the education and public sectors in the US and Asia that demonstrates particularly stealthy ways to avoid both detection and as well as deletion from a system. (Dark Reading) 

Hackers claim to have published a trove of sensitive data belonging to IVF patients after a cyberattack on Genea, one of Australia’s largest fertility providers. (Tech Crunch) 

****Can't get enough Talos?****

The Beers with Talos B-team comes in swinging hard on cyber security careers. I get a little spicy, and you want to hear it. Now that I know we bleep certain words, I anticipate a 50% uptake in more spicy content. You can all blame Hazel for this.

New research: Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

A blueprint for protecting major events - Yuri Kramarz joins Talos Takes to discuss his experience in cybersecurity and threat hunting for some of the world's biggest sporting events.

**Upcoming events where you can find Talos**

RSA (April 28-May 1, 2025)  San Francisco, CA  

CTA TIPS 2025 (May 14-15, 2025) Arlington, VA 

Cisco Live U.S. (June 8 – 12, 2025) San Diego, CA 

**Most prevalent malware files from Talos over the past week**

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details 

Typical Filename: VID001.exe 

Claimed Product: N/A 

Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA 256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  

MD5: 2915b3f8b703eb744fc54c81f4a9c67f  

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  

Typical Filename: VID001.exe  

Detection Name: Simple\_Custom\_Detection

Sellers can get scammed too, and Joe goes off on a rant about  imposter syndrome

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

A new malware campaign has been observed targeting edge devices from Cisco, ASUS, QNAP, and Synology to rope them into a botnet named PolarEdge since at least the end of 2023.
French cybersecurity company Sekoia said it observed the unknown threat actors leveraging CVE-2023-20118 (CVSS score: 6.5), a critical security flaw impacting Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and

Tag

#cisco