Malware & Threats Threat Actors Abuse Cloudflare Tunnel for Persistent Access, Data Theft
Threat actors have been exploiting the open source tool Cloudflared to gain persistent access to compromised systems and steal information without detection, according to cybersecurity firm GuidePoint Security. Cloudflared is a command-line client for Cloudflare Tunnel, a tunneling daemon for proxying traffic between the Cloudflare network and the user’s origin.
Abusing Cloudflared for Stealthy Access
Cloudflared allows services like SSH, RDP, and SMB to be directly accessible from outside without modifying firewall rules, making it an ideal tool for threat actors to maintain access to a victim’s environment without exposing themselves. The attacker only needs access to the target system to execute Cloudflared and establish a connection.
One of the advantages for attackers is that Cloudflared keeps the configuration in the running process, allowing them to make changes on the fly once the connection has been established. The attacker only needs RDP and SMB to be enabled on the victim machine, and they can enable or disable the required functionality as needed to avoid detection.
Challenges in Detection
One of the main challenges with the malicious use of Cloudflared is that the tool does not store logs, and its activity can only be viewed in real-time if an administrator has access to the process in a command prompt or terminal. While security teams could re-run the command used to establish a tunnel to identify existing Public Hostname configurations, this allows attackers to potentially take steps to protect themselves.
However, network defenders can look for specific queries made by Cloudflared to identify unexpected or unauthorized use of the tool. Organizations using Cloudflare services legitimately can also limit their services to specific data centers and generate detections for traffic that routes to anywhere except their specified data centers, which might aid in the detection of unauthorized tunnels.
Editorial: Balancing Security and Usability in Open Source Tools
The abuse of Cloudflared by threat actors highlights the delicate balance between security and usability when it comes to open source tools. Cloudflared is a legitimate tool supported on major operating systems, and its outbound connections to the Cloudflare infrastructure are typically allowed by most network defenses. However, this also opens up opportunities for malicious actors to exploit the tool for their own purposes.
While open source tools provide great benefits in terms of customizability and flexibility, they also require constant vigilance to ensure they are not being abused. Developers and maintainers of open source tools must prioritize security and actively monitor for any potential misuse or vulnerabilities that can be exploited by threat actors.
Advice: Protecting Against Abuse of Cloudflare Tunnel
To protect against the abuse of Cloudflare Tunnel, organizations should implement the following measures:
- Create and enforce stringent access controls to prevent unauthorized access to systems and restrict the execution of Cloudflared.
- Regularly monitor and review system logs and network traffic for any suspicious activity related to Cloudflared, such as unexpected queries or traffic patterns.
- Utilize intrusion detection and prevention systems that can detect and block any unauthorized use of Cloudflared.
- Limit services to specific data centers and generate detections for traffic that routes to unauthorized destinations.
- Stay informed about the latest security updates and patches for Cloudflare and Cloudflare Tunnel, and promptly apply them to ensure the latest protections are in place.
- Educate employees about the risks of phishing attacks and social engineering techniques used by threat actors to gain access to systems and execute tools like Cloudflared.
By following these recommendations and maintaining a proactive security posture, organizations can minimize the risk of their systems being compromised through the abuse of Cloudflare Tunnel and similar tools.
<< photo by Thomas Evans >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Navigating the Murkiness: Strategies for Addressing Ambiguity in New Cyber Regulations
- Points.com: Unveiling the Vulnerabilities Behind Customer Data Theft and Rewards Program Hacking
- Insights into the Guilty Pleas of NYC Couple Involved in Massive Bitfinex Hack
- “Google and Microsoft Embrace Rust: Enhancing Security in the World of Tech Giants”
- Microsoft in the Hot Seat: Analyzing the Criticism Surrounding their Handling of the Power Platform Vulnerability
- Unmasking the Enigmatic Link: Unraveling KillNet’s Kremlin Connection
- The Rising Threat: How DDoS Botnets Exploit Zyxel Devices for Devastating Attacks
- The Rise of Multi-Botnet DDoS Attacks: Exploiting the Zyxel Vulnerability
- Exclusive: Malicious npm Packages Pose Threat to Developers as Data Breach Concerns Grow
- The Great Data Breach of our Time: Exposing the Vulnerabilities We Can No Longer Ignore
- Cloud Security Risks: Unveiling the Top Five Threats
- The Rising Threat: One-Third of Industrial Control Systems Left Exposed
- The Rise of Nile: Transforming Network Security with $175 Million Funding
- Exploring the Risk: Wi-Fi Vulnerability in 200 Canon Printer Models
- The Dual Role of Cloudzy: Facilitating Cybercrime and Nation-State Cyber Attacks
- Kyndryl’s SOC Expansion: Strengthening Managed Security Services
