From compromised devices, hackers are actively exploiting the Tunnels for the following purposes:-
-
Stealthy HTTPS connections
-
Bypass firewalls
-
Maintain long-term persistence
GuidePoint’s DFIR and GRIT teams addressed recent engagements involving Tunnel (Cloudflare) use by attackers.
Cloudflare Tunnel establishes outbound connections via HTTPS to Edge Servers, making services accessible through configuration changes.
While apart from this, external access to the following services is facilitated through Cloudflare’s Zero Trust dashboard:-
-
SSH
-
RDP
-
SMB
Exploitation of Cloudflare Tunnels
CloudFlare Tunnels enable secure outbound connections to Cloudflare for web servers or apps and the installation of Cloudflare clients on the following platforms that establish the tunnel:-
-
Linux
-
Windows
-
macOS
-
Docker
Here below we have mentioned all the services that are provided by the Cloudflare Tunnels:-
-
Access control
-
Gateway setups
-
Analytics
-
Team management
All these mentioned abilities provide high user control over the exposed services. A single command from the victim’s device sets up discreet communication via the attacker’s tunnel token, allowing real-time configuration changes.
Tunnel Configuration (Source – Guide Point Security)
Tunnel updates follow Dashboard configuration changes, enabling threat actors to control functionality activation and deactivation.
Threat actors can enable RDP for data collection, then disable it to evade detection and domain observation.
HTTPS connection and data exchange via QUIC on port 7844 evade detection by default firewalls.
While the attackers can exploit Cloudflare’s ‘TryCloudflare’ for one-time tunnels without account creation, it’s a stealthier approach.
SMB Connection from Attacker to Victim (Source – Guide Point Security)
Cloudflare Tunnels exploitation steps
There are three steps that attackers follow to perform or execute their malicious actions through Cloudflared.
Here below, we have mentioned the Tunnels exploitation steps:-
-
Generate Token via Tunnel Creation on Victim Machine.
-
Access Needed for Running Executable.
-
Client Connection to Tunnel for Victim Access.
Recommendation
GuidePoint researchers advised the organizations to monitor unauthorized Tunnel use by tracking specific DNS queries and utilizing non-standard ports, such as 7844.
Additionally, Tunnel use can be detected by monitoring file hashes of ‘cloudflared’ client releases, as the installation is required.
Legitimate users can restrict services to chosen data centers, flagging Cloudflared tunnels targeting unauthorized destinations, as this approach aids in tunnel detection.
