In January 2023, Phylum reported that attackers created malicious PyPI packages using Cloudflare Tunnels to steal data and remotely access devices.
Hackers are increasingly abusing Cloudflare Tunnels to create stealthy HTTPS connections from compromised devices, bypass firewalls, and maintain long-term persistence.
In January 2023, Phylum reported that attackers created malicious PyPI packages using Cloudflare Tunnels to steal data and remotely access devices.
According to GuidePoint's DFIR and GRIT teams, this tactic has increased over the past week.
The CloudFlare Tunnel feature allows Cloudflare users to create secure, outbound-only connections for their web servers and applications to CloudFlare's network. To deploy a tunnel, users must install a Cloudflare client for Linux, Windows, macOS, or Docker. The service is then exposed to the internet using the user-specified hostname to accommodate legitimate use-case scenarios such as resource sharing, testing, etc.
In addition to providing a range of access controls, gateway configurations, team management, and user analytics, Cloudflare Tunnels give a high degree of control over the tunnel and the exposed compromised services.
GuidePoint's report states that more threat actors are using Cloudflare Tunnels for nefarious purposes, such as gaining stealthy persistent access to the target's network, evading detection, and exfiltrating data from compromised devices.
The discrete communication channel can be established with a single command from the victim's device that exposes nothing but the attacker's unique tunnel token. A threat actor may also modify the tunnel's configuration in real-time and turn it on and off as necessary.
TAs can enable functionality only when they intend to conduct activities on the victim machine, then turn off the functionality to prevent exposure of their infrastructure, explains GuidePoint. Once configuration changes are made in Cloudflare Dashboard, tunnel updates. By enabling RDP connectivity, the TA could gather data from the victim and turn it off until the next day, lowering the chance of detecting or observing the domain used.
As the HTTPS connection and data exchange occurs over QUIC on port 7844, it is unlikely that firewalls or other network protection solutions will flag this process unless they are specifically configured to do so.
Cloudflare's 'TryCloudflare' feature lets users create one-time tunnels without creating an account, making attackers even more stealthy.
GuidePoint says it is also possible to exploit Cloudflare's Private Networks feature to allow remote access to an entire range of internal IP addresses by setting up a tunnel to a single client (victim).
Organizations should monitor for specific DNS queries (shared in the report) and use non-standard ports (7844) to detect unauthorized use of Cloudflare Tunnels.
Furthermore, as Cloudflare Tunnel requires the installation of the Cloudflare client, defenders can detect its use by monitoring file hashes associated with client releases.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?