Hackers Abuse Cloudflare Tunnels Feature to Gain Stealthy Persistent Access

In the current era of cybersecurity, threat actors are actively adopting creative and new methods to exploit networks. While some now use familiar tools, reducing detection odds by evading traditional defenses like anti-virus, Cloudflare, and EDR solutions.

From compromised devices, hackers are actively exploiting the Tunnels for the following purposes:-

  • Stealthy HTTPS connections
  • Bypass firewalls
  • Maintain long-term persistence

Earlier in January 2023, threat actors leveraged Tunnels through malicious PyPI packages for data theft and remote device access, which means that this technique is not new.

GuidePoint’s DFIR and GRIT teams addressed recent engagements involving Tunnel (Cloudflare) use by attackers. 

Cloudflare Tunnel establishes outbound connections via HTTPS to Edge Servers, making services accessible through configuration changes. 

While apart from this, external access to the following services is facilitated through Cloudflare’s Zero Trust dashboard:-

  • SSH
  • RDP
  • SMB

Exploitation of Cloudflare Tunnels

CloudFlare Tunnels enable secure outbound connections to Cloudflare for web servers or apps and the installation of Cloudflare clients on the following platforms that establish the tunnel:-

  • Linux
  • Windows
  • macOS
  • Docker 

Here below we have mentioned all the services that are provided by the Cloudflare Tunnels:-

  • Access control
  • Gateway setups
  • Analytics
  • Team management 

All these mentioned abilities provide high user control over the exposed services. A single command from the victim’s device sets up discreet communication via the attacker’s tunnel token, allowing real-time configuration changes.

Tunnel Configuration (Source – Guide Point Security)

Tunnel updates follow Dashboard configuration changes, enabling threat actors to control functionality activation and deactivation.

Threat actors can enable RDP for data collection, then disable it to evade detection and domain observation.

HTTPS connection and data exchange via QUIC on port 7844 evade detection by default firewalls.

While the attackers can exploit Cloudflare’s ‘TryCloudflare’ for one-time tunnels without account creation, it’s a  stealthier approach.

SMB Connection from Attacker to Victim (Source – Guide Point Security)

Cloudflare Tunnels exploitation steps

There are three steps that attackers follow to perform or execute their malicious actions through Cloudflared.

Here below, we have mentioned the Tunnels exploitation steps:-

  • Generate Token via Tunnel Creation on Victim Machine.
  • Access Needed for Running Executable.
  • Client Connection to Tunnel for Victim Access.

Moreover, security analysts also confirmed the potential abuse of Cloudflare’s ‘Private Networks’ feature, granting an attacker tunnel access to a victim’s entire internal IP address range.

Recommendation

GuidePoint researchers advised the organizations to monitor unauthorized Tunnel use by tracking specific DNS queries and utilizing non-standard ports, such as 7844.

Additionally, Tunnel use can be detected by monitoring file hashes of ‘cloudflared’ client releases, as the installation is required.

Legitimate users can restrict services to chosen data centers, flagging Cloudflared tunnels targeting unauthorized destinations, as this approach aids in tunnel detection.

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.