Hackers increasingly abuse Cloudflare Tunnels for stealthy connections

August 7, 2023 – Published on Bleeping Computer

Hackers are increasingly abusing the legitimate Cloudflare Tunnels feature to create stealthy HTTPS connections from compromised devices, bypass firewalls, and maintain long-term persistence.

The technique isn’t entirely new, as Phylum reported in January 2023 that threat actors created malicious PyPI packages that used Cloudflare Tunnels to stealthy steal data or remotely access devices.

However, it appears that more threat actors have started to use this tactic, as GuidePoint’s DFIR and GRIT teams reported last week, seeing an uptick in activity.

CloudFlare Tunnels is a popular feature provided by Cloudflare, allowing users to create secure, outbound-only connections to the Cloudflare network for web servers or applications.

Users can deploy a tunnel simply by installing one of the available cloudflared clients for Linux, Windows, macOS, and Docker.

From there, the service is exposed to the internet on a user-specified hostname to accommodate legitimate use-case scenarios such as resource sharing, testing, etc.

Cloudflare Tunnels provide a range of access controls, gateway configurations, team management, and user analytics, giving users a high degree of control over the tunnel and the exposed compromised services.

In GuidePoint’s report, the researchers say that more threat actors abuse Cloudflare Tunnels for nefarious purposes, such as gaining stealthy persistent access to the victim’s network, evading detection, and exfiltrating compromised devices’ data.

Read More HERE.