Cloudflare Tunnels are being used to breach networks
Benign tool is being used to steal data by abusing Cloudflare Tunnels
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
A hacking method that involves abusing a legitimate Cloudflare feature to steal people’s data and persist on compromised endpoints is gaining popularity, a report published by cybersecurity researchers from GuidePoint.
The feature being abused is called Cloudflare Tunnels, which allow users to create secure, outbound-only connections to the Cloudflare network for web servers and applications. The setup is simple, and the configuration is extensive, as users get plenty of access controls, gateway configurations, team management, and user analytics.
Once set up, the tunnel become exposed to the internet and can be used for different things such as sharing resources and similar.
Picking up steam
Cloudflare Tunnels are available on Linux, Windows, macOS and Docker, and users can start using it by simply installing one of the available cloudflared clients.
However, in January 2023, cybersecurity researchers from Phylum discovered some hackers creatingmaliciousPyPI packages that used the tool to steal data or access endpoints, remotely and under the radar. All it takes is one command from the victim endpoint to create a discreet communication channel over which the attacker has full control.
Now, GuidePoint argues that there’s been a significant uptick in the use of this technique for data exfiltration and to establish persistence on target devices.
Tor networks hit by wave of DDoS attacks>DDoS is fast becoming a potent weapon for cybercriminals>These are the best endpoint protection services around
“The tunnel updates as soon as the configuration change is made in the Cloudflare Dashboard, allowing TAs to enable functionality only when they want to conduct activities on the victim machine, then disable functionality to prevent exposure of their infrastructure,” the researchers said. “For example, the TA could enable RDP connectivity, collect information from the victim machine, then disable RDP until the following day, thus lowering the chance of detection or the ability to observe the domain utilized to establish the connection.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The researchers say the best way to spot hackers abusing Cloudflare tunnels is to keep an eye out for specific DNS queries shared in the report, and use non-standard ports. Also, given that Cloudflare Tunnel needs the cloudflared client, IT teams can detect its use by keeping track of file hashes associated with client releases.
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Google puts Nvidia on high alert as it showcases Trillium, its rival AI chip, while promising to bring H200 Tensor Core GPUs within days
A new form of macOS malware is being used by devious North Korean hackers
Quordle today – hints and answers for Saturday, November 9 (game #1020)
