Hackers Abuse Cloudflare Tunnels To Bypass Firewalls and Establish Long-Term Footholds
A disturbing new trend is growing in the world of cybersecurity. Hackers have found a way to increasingly abuse Cloudflare Tunnels for their malicious intent. This strategy involves using Cloudflare Tunnels to generate encrypted HTTPS connections from compromised devices. It effectively bypasses firewalls and establishes long-term footholds.
Understanding Cloudflare Tunnels
Cloudflare Tunnels, a well-known Cloudflare feature, is at the heart of this problem. This feature allows customers to connect to the Cloudflare network safely in a one-way manner (primarily for web servers and apps). The method begins with the installation of one of the available ‘Cloudflare’ clients for Linux, Windows, macOS, and Docker.
This initiated tunnel runs under a user-specified hostname. It serves legitimate purposes such as resource sharing and testing. Cloudflare Tunnels include a set of controls, gateway configurations, team administration, as well as user insights. This gives users significant control over the tunnel and the services it offers.
Although not wholly new, Cloudflare Tunnels abuse for nefarious purposes has received renewed attention. Phylum, a cybersecurity watchdog, reported occurrences in January 2023 in which hackers were seen to abuse Cloudflare Tunnels to steal data and obtain unauthorized access to devices.
Cloudflare Tunnels Abuse Is Becoming Common
Recent cybersecurity news, however, shows that this tactic has become more common. The Digital Forensics and Incident Response (DFIR) teams of GuidePoint, along with their Global Threat Intelligence (GRIT) experts, report abuse of Cloudflare operations. The implications are significant and point to a deadly new weapon in the hackers’ toolkit.
The analysis by GuidePoint reveals an alarming trend. More hostile attackers are involved in phishing and malware abuse Cloudflare, exploiting Cloudflare Tunnels with strategic purposes. These include establishing and maintaining hidden access to compromised networks, evading discovery, and not to forget secretly transmitting data from the victim’s devices.
A single command executed from the victim’s device is all that is required. This command establishes a clandestine communication channel by barely revealing the hacker’s unique tunnel token. In parallel, the hacker retains the power to modify the tunnel’s settings, quickly enabling or disabling it based on their objective.
The hacker could enable Remote Desktop Protocol (RDP) access, acquire intelligence from the victim’s device, and then disable RDP until the following operational cycle. This clever toggling reduces exposure dangers as well as detection probabilities.
Significantly, the use of QUIC on port 7844 for HTTPS connection and data transfer ensures that standard network defenses frequently fail to signal this activity unless explicitly configured to do so. To increase disguise, hackers stealthy connections can use Cloudflare’s ‘TryCloudflare’ option without having to create an account.
On top of that, the hacker who has infiltrated a single client device can possibly acquire access to a whole spectrum of internal IP addresses by maliciously using Cloudflare’s ‘Private Networks’ capability. This risky inversion allows the attacker to gain access to services that are normally confined to local network use.
Measures To Prevent Cloudflare Tunnel Abuse
Taking precautions to prevent unauthorized Cloudflare network usage has become crucial now more than ever. Organizations should monitor certain DNS queries, which are included in the entire report. Furthermore, the use of non-standard ports, such as 7844, is successful in detecting.
Defenders can strengthen their position even further by tracking file hashes connected with ‘Cloudflare’ client updates. This can be used as a trustworthy indicator in helping to identify potential invasions.
In a world where cybersecurity is critical, Cloudflare Tunnels abuse for hidden connections demands immediate attention. The trend emphasizes the importance of vigilant monitoring, proactive defense, and ongoing adaptation in order to stay ahead of new threats.
For any queries, get in touch with our experts, and say NO to these unauthorized connections where hackers abuse Cloudflare tunnels!
The sources for this piece include an article in Bleeping Computer.