Skip to content

Threat Actors Abuse Cloudflare Tunnel for Persistent Access, Data Theft

Posted by:
< 1 min read

August 4, 2023 – Published on SecurityWeek

Threat actors have been observed abusing an open source tool named Cloudflared to maintain persistent access to compromised systems and to steal information without being detected, cybersecurity firm GuidePoint Security reports.

Cloudflared is a command-line client for Cloudflare Tunnel, a tunneling daemon for proxying traffic between the Cloudflare network and the user’s origin. The tool creates an outbound connection over HTTPS, with the connection’s settings manageable via the Cloudflare Zero Trust dashboard.

Through Cloudflared, services such as SSH, RDP, SMB, and others are directly accessible from outside, without having to modify firewall rules.

For threat actors, this represents a great opportunity to maintain access to a victim’s environment without exposing themselves. However, the attacker does need access to the target system to execute Cloudflared and establish the connection.

“Since the Cloudflared execution only requires the token associated with the tunnel they’ve created, the [attacker] can initiate these commands without exposing any of their configurations on the victim machine prior to a successful tunnel connection,” GuidePoint explains.

Read More HERE.

Categories: Incident Response & Threat Intelligence News Threat Advisory
Tags:GRIT

GuidePoint Security

DFIR & Threat Intelligence Practice
Bryan Orme, Principal and Partner at GuidePoint Security, presents an overview of our DFIR & Threat Intelligence Practice Practice.
Watch Now

Related Articles

View All

  • Incident Response & Threat Intelligence
DFIR & Threat Intelligence Practice
Read More < 1 min read
How to Effectively Use Threat Intelligence to Drive Better Security Outcomes
Posted by: GuidePoint Security
Read More < 1 min read
  • Incident Response & Threat Intelligence
Threat Intelligence Advisory Services
Read More < 1 min read