Cloudflare Tunnels are being used to breach networks

By Nick Heyman On Aug 8, 2023

A hacking method that involves abusing a legitimate Cloudflare feature to steal people’s data and persist on compromised endpoints is gaining popularity, a report published by cybersecurity researchers from GuidePoint.

The feature being abused is called Cloudflare Tunnels, which allow users to create secure, outbound-only connections to the Cloudflare network for web servers and applications. The setup is simple, and the configuration is extensive, as users get plenty of access controls, gateway configurations, team management, and user analytics.

Once set up, the tunnel become exposed to the internet and can be used for different things such as sharing resources and similar.

Picking up steam

Cloudflare Tunnels are available on Linux, Windows, macOS and Docker, and users can start using it by simply installing one of the available cloudflared clients.

However, in January 2023, cybersecurity researchers from Phylum discovered some hackers creating malicious PyPI packages that used the tool to steal data or access endpoints, remotely and under the radar. All it takes is one command from the victim endpoint to create a discreet communication channel over which the attacker has full control.

Now, GuidePoint argues that there’s been a significant uptick in the use of this technique for data exfiltration and to establish persistence on target devices.

“The tunnel updates as soon as the configuration change is made in the Cloudflare Dashboard, allowing TAs to enable functionality only when they want to conduct activities on the victim machine, then disable functionality to prevent exposure of their infrastructure,” the researchers said. “For example, the TA could enable RDP connectivity, collect information from the victim machine, then disable RDP until the following day, thus lowering the chance of detection or the ability to observe the domain utilized to establish the connection.”

The researchers say the best way to spot hackers abusing Cloudflare tunnels is to keep an eye out for specific DNS queries shared in the report, and use non-standard ports. Also, given that Cloudflare Tunnel needs the cloudflared client, IT teams can detect its use by keeping track of file hashes associated with client releases.

Via: BleepingComputer

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TheDailyCheck is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected] The content will be deleted within 24 hours.