A hacking method that involves abusing a legitimate Cloudflare feature to steal people’s data and persist on compromised endpoints is gaining popularity, a report published by cybersecurity researchers from GuidePoint.
The feature being abused is called Cloudflare Tunnels, which allow users to create secure, outbound-only connections to the Cloudflare network for web servers and applications. The setup is simple, and the configuration is extensive, as users get plenty of access controls, gateway configurations, team management, and user analytics.
Once set up, the tunnel become exposed to the internet and can be used for different things such as sharing resources and similar.
Picking up steam
Cloudflare Tunnels are available on Linux, Windows, macOS and Docker, and users can start using it by simply installing one of the available cloudflared clients.
However, in January 2023, cybersecurity researchers from Phylum discovered some hackers creating malicious PyPI packages that used the tool to steal data or access endpoints, remotely and under the radar. All it takes is one command from the victim endpoint to create a discreet communication channel over which the attacker has full control.
Now, GuidePoint argues that there’s been a significant uptick in the use of this technique for data exfiltration and to establish persistence on target devices.
“The tunnel updates as soon as the configuration change is made in the Cloudflare Dashboard, allowing TAs to enable functionality only when they want to conduct activities on the victim machine, then disable functionality to prevent exposure of their infrastructure,” the researchers said. “For example, the TA could enable RDP connectivity, collect information from the victim machine, then disable RDP until the following day, thus lowering the chance of detection or the ability to observe the domain utilized to establish the connection.”
The researchers say the best way to spot hackers abusing Cloudflare tunnels is to keep an eye out for specific DNS queries shared in the report, and use non-standard ports. Also, given that Cloudflare Tunnel needs the cloudflared client, IT teams can detect its use by keeping track of file hashes associated with client releases.