Cloudflare Tunnels Are Actively Being Used To Breach Networks

Cloudflare Tunnels are actively being used to breach networks at the moment, reports now making the rounds claim that benign tools are being used in stealing data just by abusing Cloudfare Tunnels.

Cloudflare Tunnels Breach Networks

Cloudflare Tunnels Breach Networks

A new hacking method that involves making use of legitimate Cloudfare features in stealing the data of users of persist on compromised endpoints is currently gaining fame, a recent report published by a team of cybersecurity researchers from Guidpeoint claims.

The feature that is being abused is known as Cloudflare Tunnels, which lets users to create secure, outbound-only connections to the Cloudflare network for web servers as well as applications. The very setup in question is very simple, and the configuration on the other hand is extensive, as users get vast access controls, gateway configurations, team management, and even user analytics.

Once it has been set up, the tunnel become exposed to the internet and then can be used for different things such as sharing resources and other similar things.

Availability of Cloudfare Tunnels

Cloudfare Tunnels as you should know are available on Windows, Linux, Docker, and macOS, and users on the other hand can now begin making use of it just by installing one of the available Cloudfare clients.

However, back in January 2023, cybersecurity researchers from Phylum made a discovery of some hackers creating malicious PyPI packages that made use of the tool to steal data or get access to endpoints, remotely as well as under the radar. All it takes to get this done is just one command from the endpoint of the victim to create a discreet communication channel over which the attacker in question then has full and total control.

What Researchers and IT Teams Have To Say About the New Development

GuidePoint now argues that there has been a significant uptick in the usage of this very technique for the exfiltration of data as well as to establish persistence on targeted devices.

“The tunnel updates as soon as the configuration change is made in the Cloudflare Dashboard, allowing TAs to enable functionality only when they want to conduct activities on the victim machine, then disable functionality to prevent exposure of their infrastructure,” the researchers reportedly stated. “For example, the TA could enable RDP connectivity, collect information from the victim machine, then disable RDP until the following day, thus lowering the chance of detection or the ability to observe the domain utilized to establish the connection.”

The Best Way to Spot Hackers Abusing Cloudflare Tunnels

The researchers in question state that the best way to spot hackers abusing Cloudflare tunnels is simply by keeping an eye out for specific DNS queries that are shared in the report, and to also make use of non-standard ports. Also, given the fact that Cloudflare Tunnel needs the Cloudflare client, IT teams can now detect its usage simply by keeping track of file hashes that are associated with client releases.



Please enter your comment!
Please enter your name here