Skip to content

Attackers use Cloudflare Tunnel to proxy into victim networks

August 8, 2023 – Published on CSO Online

Cloudflare Tunnel is a powerful tunneling solution that gives organizations a way to securely make internal applications and services accessible to external users while benefiting from the defenses and authentication policies enforced by the Cloudflare network. Like most tools that are meant to make infrastructure administration easier and more secure, they can also be abused by attackers.

Researchers from GuidePoint Security have reported that their teams have investigated multiple incidents this year where attackers used the Cloudflare Tunnel to maintain access to victim networks. While the attacks were not highly sophisticated, they believe more threat actors will adopt the tool because of its powerful features and ease of use.

“The key point is that cloudflared [the Cloudflare Tunnel daemon] reaches out to the Cloudflare Edge Servers, creating an outbound connection over HTTPS (HTTP2/QUIC), where the tunnel’s controller makes services or private networks accessible via Cloudflare console configuration changes,” Nic Finn, a senior threat intelligence consultant at GuidePoint, said in a report. “These changes are managed through Cloudflare’s Zero Trust dashboard and are used to allow external sources to directly access important services, including SSH, RDP, SMB, and others.”

Read More HERE.