November 7, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Threat Actors Steal Data from Web3 Professionals Using Fake Video Conferencing Apps – Active IOCs
December 9, 2024
Gh0st RAT – Active IOCs
December 15, 2024
Threat Actors Steal Data from Web3 Professionals Using Fake Video Conferencing Apps – Active IOCs
December 9, 2024
Gh0st RAT – Active IOCs
December 15, 2024
Severity
High
Analysis Summary
A recently discovered vulnerability, “BreakingWAF,” uncovered by researchers has left over 140,000 domains including those of major Fortune 1000 companies exposed to severe cyber threats. The flaw affects widely used WAF providers like Akamai, Cloudflare, Fastly, and Imperva.
By bypassing WAF protections, attackers can directly target backend servers enabling distributed denial-of-service (DDoS) attacks, ransomware deployment, and complete application compromises. Nearly 40% of Fortune 100 and 20% of Fortune 1000 companies including high-profile organizations such as JPMorgan Chase, Visa, Intel, and Berkshire Hathaway, have been impacted. In a stark demonstration, Zafran performed a 20-second DDoS attack on a domain owned by Berkshire Hathaway subsidiary BHHC emphasizing the real-world risks.
According to the researchers, the vulnerability arises from the dual-purpose design of modern WAFs which often function as content delivery networks (CDNs) to enhance network efficiency. When backend servers fail to validate incoming traffic properly attackers can map external domains to backend IP addresses, bypassing WAF defenses using advanced fingerprinting techniques. This systemic flaw in WAF/CDN architecture has led to widespread misconfigurations leaving critical systems vulnerable. Historical cyber incidents such as the Capital One data breach underscore the catastrophic consequences of WAF misconfigurations. Advanced Persistent Threat (APT) groups like APT41 have similarly exploited such flaws to exfiltrate sensitive data while the financial toll of downtime and attacks has been devastating with losses ranging from $1.8 million to $1.9 million per hour for affected organizations.
To mitigate these risks, researchers recommend strategies like IP whitelisting, custom headers with pre-shared secrets, and mutual TLS (mTLS). While IP whitelisting is straightforward, it’s not foolproof. Pre-shared secrets provide moderate protection but require periodic updates while mTLS offers the most robust defense by authenticating both servers and CDNs. However, implementing mTLS requires advanced tooling which may not be compatible with all popular load balancers. WAF providers including Akamai and Cloudflare, have issued detailed implementation guides and Zafran has made assessment tools available through its Threat Exposure Management platform.
In a coordinated disclosure effort initiated on August 23, 2024, Researchers notified impacted organizations including JPMorgan Chase and UnitedHealth both of which swiftly resolved the issue to avert exploitation. This disclosure underscores the urgency for companies relying on WAF/CDN solutions to reassess their configurations and implement robust security measures to mitigate the risks posed by BreakingWAF. The widespread vulnerability calls for immediate action to protect critical systems and prevent potential financial and reputational damages.
Impact
- Financial Loss
- Denial of Service
- Security Bypass
Remediation
- Restrict access to backend servers to only the IP addresses of trusted CDN providers.
- Use custom HTTP headers with pre-shared secrets to authenticate legitimate traffic.
- Ensure periodic rotation of these secrets to maintain effectiveness.
- Implement mTLS to validate both the server and CDN using client certification. This is the most secure option but requires specialized tooling, which may not be supported by all load balancers.
- Follow detailed guides provided by WAF providers like Akamai and Cloudflare for configuring secure setups.
- Use tools and platforms to assess exposure and ensure secure configurations.