Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
Researchers from GuidePoint gave good recommendations to protect yourself from the new threat.
Hackers are increasingly abusing the legitimate Cloudflare Tunnels feature to create stealthy HTTPS connections from infected devices, bypass firewalls, and gain a long-term foothold in the system.
Cloudflare Tunnels is a popular feature of Cloudflare that allows you to create secure outbound connections to the Cloudflare network for web servers or applications.
The loophole exploited by cyberbandists is not entirely new. In January of this year , we already reported that attackers created malicious PyPI packages that use Cloudflare Tunnels to secretly steal data or remotely access devices.
However, it seems that more and more hackers have started using this tactic. So, last week, experts from GuidePoint companies noted a surge in such activity.
Cloudflare users can deploy a tunnel simply by installing one of the available Cloudflared clients for Linux, Windows, macOS, and Docker. Then the service gets Internet access at the host specified by the user for legitimate use cases, such as resource sharing, testing, etc.
Cloudflare Tunnels provide a wide range of access control tools, gateway configuration, team management, and user analytics, giving you a high degree of control over the tunnel and the services provided.
GuidePoint researchers report that more and more attackers are using Cloudflare Tunnels for criminal purposes — to covertly constantly access the victim's network, bypass detection, and exfiltrate data from infected devices.
To do this, just one command from the victim's device is sufficient, which does not issue anything other than the attacker's unique tunnel token. At the same time, the attacker can change the tunnel configuration in real time, disable and enable it as needed.
"The tunnel is updated as soon as a configuration change is made to the Cloudflare dashboard, allowing attackers to enable functionality only when they need to perform actions on the victim's machine, and then disable it to avoid detection of their infrastructure," GuidePoint explains.
Since the HTTPS connection and data exchange takes place via the QUIC protocol on port 7844, it is unlikely that firewalls or other network security tools will detect this process unless they have been configured specifically for this purpose.
Moreover, if an attacker wants to be even more secretive, they can abuse the "Try Cloudflare" feature, which allows you to create one-time tunnels without registering an account.
However, this is not the limit of hackers capabilities. GuidePoint noted that it is also possible to abuse the "Private Networks" function, so that an attacker who has established a tunnel to one client (infected) device can thus gain remote access to the entire range of internal IP addresses.
To detect unauthorized use of Cloudflare Tunnels, GuidePoint researchers recommend tracking specific DNS queries (listed in the report) and using non-standard ports like 7844.
In addition, since Cloudflare Tunnel requires the installation of a separate Cloudflared client, defenders can detect it by monitoring file hashes associated with client releases.
Hackers are increasingly abusing the legitimate Cloudflare Tunnels feature to create stealthy HTTPS connections from infected devices, bypass firewalls, and gain a long-term foothold in the system.
Cloudflare Tunnels is a popular feature of Cloudflare that allows you to create secure outbound connections to the Cloudflare network for web servers or applications.
The loophole exploited by cyberbandists is not entirely new. In January of this year , we already reported that attackers created malicious PyPI packages that use Cloudflare Tunnels to secretly steal data or remotely access devices.
However, it seems that more and more hackers have started using this tactic. So, last week, experts from GuidePoint companies noted a surge in such activity.
Cloudflare users can deploy a tunnel simply by installing one of the available Cloudflared clients for Linux, Windows, macOS, and Docker. Then the service gets Internet access at the host specified by the user for legitimate use cases, such as resource sharing, testing, etc.
Cloudflare Tunnels provide a wide range of access control tools, gateway configuration, team management, and user analytics, giving you a high degree of control over the tunnel and the services provided.
GuidePoint researchers report that more and more attackers are using Cloudflare Tunnels for criminal purposes — to covertly constantly access the victim's network, bypass detection, and exfiltrate data from infected devices.
To do this, just one command from the victim's device is sufficient, which does not issue anything other than the attacker's unique tunnel token. At the same time, the attacker can change the tunnel configuration in real time, disable and enable it as needed.
"The tunnel is updated as soon as a configuration change is made to the Cloudflare dashboard, allowing attackers to enable functionality only when they need to perform actions on the victim's machine, and then disable it to avoid detection of their infrastructure," GuidePoint explains.
Since the HTTPS connection and data exchange takes place via the QUIC protocol on port 7844, it is unlikely that firewalls or other network security tools will detect this process unless they have been configured specifically for this purpose.
Moreover, if an attacker wants to be even more secretive, they can abuse the "Try Cloudflare" feature, which allows you to create one-time tunnels without registering an account.
However, this is not the limit of hackers capabilities. GuidePoint noted that it is also possible to abuse the "Private Networks" function, so that an attacker who has established a tunnel to one client (infected) device can thus gain remote access to the entire range of internal IP addresses.
To detect unauthorized use of Cloudflare Tunnels, GuidePoint researchers recommend tracking specific DNS queries (listed in the report) and using non-standard ports like 7844.
In addition, since Cloudflare Tunnel requires the installation of a separate Cloudflared client, defenders can detect it by monitoring file hashes associated with client releases.
