The Week in Security: Cloudflare Tunnels abuse ramps up, U.K. voter data exposed
August 10, 2023 – Published on Security Boulevard
Cloudflare Tunnels, a feature of Cloudflare that enables users to create secure, outbound-only connections to the Cloudflare network, has seen an uptick in abuse from malicious attackers. GuidePoint says that many attackers use Cloudflare Tunnels to gain stealthy, persistent access to a victim’s network, evade detection, and exfiltrate compromised data. This expands upon Phylum’s detection of malicious PyPI packages that used Cloudflare Tunnels to steal data and to remotely access devices.
For users to deploy a Cloudflare Tunnel, they must first install an available cloudflare client for Linux, Windows, macOS, or Docker. Once that is done, the service is exposed to the Internet under a user-specified hostname to accommodate legitimate use-case scenarios. However, that ease of creation can easily be abused. Threat actors need only make one simple command (which only exposes the unique tunnel token) from the victim’s device to create a discrete communication channel. The attacker has then fully breached the system and can enable functionality of the tunnel only when conducting activities on the victim’s machine to minimize risk of exposure.
It is unlikely that a firewall or other network solutions will flag these actions unless they are specifically configured to do so. Therefore, to detect unauthorized use of Cloudflare Tunnels, organizations should monitor for specific DNS queries, which can be found in GuidePoint’s report. Security teams can also monitor for the installation of a cloudflare client by looking for file hashes associated with them, which can imply unauthorized access has occurred.
Read More HERE.