Cloudflare Tunnel provides you with a secure way to connect your resources to Cloudflare without a publicly routable IP address. Cybercriminals are increasingly using this service to keep their activities from being detected.
Cloudflare Tunnel, also known by its executable name, Cloudflared, reaches out to the Cloudflare Edge Servers by creating an outbound connection over HTTPS(HTTP2/QUIC), where the tunnel’s controller makes services or private networks accessible via Cloudflare console configuration changes. It’s used to allow external sources to directly access important services, including SSH (Secure Shell), RDP (Remote Desktop Protocol), SMB (server Message Block), and others.
Researchers have found that cybercriminals are shifting from using ngrok to Cloudflare Tunnel probably because it provides a lot more usability for free. It allows an attacker to execute a single command from a victim machine to establish a foothold and conduct further operations once they have achieved a foothold.
Once the tunnel is established, Cloudflared obtains the configuration and keeps it in the running process. All the victim will be able to find when the discreet communication channel is discovered is a unique tunnel token which will make them none the wiser. The attacker however is able to easily modify the tunnel configuration on the fly.
Since this tool is a legitimate binary which is supported on every major operating system, and the initial connection is initiated through an outbound HTTPS connection to Cloudflare-owned infrastructure, this method might prove to become even more popular among cybercriminals. It provides them with a tool to establish persistence when they need it, and to then turn it off when they don’t, in order to avoid being found out.
Because of the HTTPS connection and the port the data exchange takes place on (QUIC on port 7844), it is unlikely to be picked up by protection software like firewalls unless specifically instructed to do so.
As if that wasn’t worrying enough, the researchers found that they could abuse Cloudflare's 'Private Networks' feature to access an entire range of internal IP addresses remotely once they established a tunnel to a single client (victim).
Mitigation
The researchers note that on the victim machine, RDP and SMB need to be enabled before attempting to connect. So, if you don’t need those, this is another good reason to disable them.
To detect unauthorized use of Cloudflare Tunnels, the researchers recommend that organizations monitor for specific DNS queries (as shared in the report) and use non-standard ports like 7844.
Other, more general recommendations are:
- Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
- Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
- Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
- Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
- Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
- Don’t get attacked twice. Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.
Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.