https://www.securityweek.com/threat-actors-abuse-cloudflare-tunnel-for-persistent-access-data-theft/ SECURITYWEEK NETWORK: * Cybersecurity News * Webcasts * Virtual Events ICS: * ICS Cybersecurity Conference SecurityWeek * Malware & Threats + Cyberwarfare + Cybercrime + Data Breaches + Fraud & Identity Theft + Nation-State + Ransomware + Vulnerabilities * Security Operations + Threat Intelligence + Incident Response + Tracking & Law Enforcement * Security Architecture + Application Security + Cloud Security + Endpoint Security + Identity & Access + IoT Security + Mobile & Wireless + Network Security * Risk Management + Cyber Insurance + Data Protection + Privacy & Compliance + Supply Chain Security * CISO Strategy + Cyber Insurance + CISO Conversations + CISO Forum * ICS/OT + Industrial Cybersecurity + ICS Cybersecurity Conference * Funding/M&A + Cybersecurity Funding + M&A Tracker * Cybersecurity News * Webcasts * Virtual Events * ICS Cybersecurity Conference Connect with us * * * Hi, what are you looking for? [Search ] [Search] SecurityWeekSecurityWeek SecurityWeekSecurityWeek SecurityWeek * Malware & Threats + Cyberwarfare + Cybercrime + Data Breaches + Fraud & Identity Theft + Nation-State + Ransomware + Vulnerabilities * Security Operations + Threat Intelligence + Incident Response + Tracking & Law Enforcement * Security Architecture + Application Security + Cloud Security + Endpoint Security + Identity & Access + IoT Security + Mobile & Wireless + Network Security * Risk Management + Cyber Insurance + Data Protection + Privacy & Compliance + Supply Chain Security * CISO Strategy + Cyber Insurance + CISO Conversations + CISO Forum * ICS/OT + Industrial Cybersecurity + ICS Cybersecurity Conference * Funding/M&A + Cybersecurity Funding + M&A Tracker Malware & Threats Threat Actors Abuse Cloudflare Tunnel for Persistent Access, Data Theft Threat actors have been observed abusing the open source Cloudflare Tunnel tool Cloudflared to maintain stealthy, persistent access to compromised systems. [Ionut-Argh] By Ionut Arghire August 4, 2023 * * * * * + Flipboard + Reddit + Pinterest + Whatsapp + Whatsapp + Email Threat actors have been observed abusing an open source tool named Cloudflared to maintain persistent access to compromised systems and to steal information without being detected, cybersecurity firm GuidePoint Security reports. Cloudflared is a command-line client for Cloudflare Tunnel, a tunneling daemon for proxying traffic between the Cloudflare network and the user's origin. The tool creates an outbound connection over HTTPS, with the connection's settings manageable via the Cloudflare Zero Trust dashboard. Through Cloudflared, services such as SSH, RDP, SMB, and others are directly accessible from outside, without having to modify firewall rules. For threat actors, this represents a great opportunity to maintain access to a victim's environment without exposing themselves. However, the attacker does need access to the target system to execute Cloudflared and establish the connection. "Since the Cloudflared execution only requires the token associated with the tunnel they've created, the [attacker] can initiate these commands without exposing any of their configurations on the victim machine prior to a successful tunnel connection," GuidePoint explains . Once the tunnel has been established, Cloudflared keeps the configuration in the running process, which allows the attacker to make changes on the fly once the connection has been established. All the attacker needs is for RDP and SMB to be enabled on the victim machine. "From the victim machine perspective, the configurations are pulled at the initiation of the connection, and whenever there's a change made to the Cloudflare Tunnel config. The tunnel updates as soon as the configuration change is made in the Cloudflare Dashboard," GuidePoint notes. Advertisement. Scroll to continue reading. This allows attackers to enable the required functionality only when they want to perform operations on the victim machine, then disable it to prevent detection. Given that Cloudflared is a legitimate tool supported on major operating systems and that it establishes outbound connections to the Cloudflare infrastructure, most network defenses will allow the traffic. It also allows attackers to maintain access to the victim network without exposing their infrastructure, except for the token assigned to their tunnel. To successfully use Cloudflared, the attacker needs to create a tunnel to generate the required token, needs access to the victim system to run the tool, and needs "to connect to the Cloudflared tunnel as a client to access the victim machine", GuidePoint explains. The cybersecurity firm also points out that attackers could use a tunnel configuration feature called Private Networks to gain access to the local network as if they were "physically collocated with the victim machine hosting the tunnel", and interact with any device on the network. The main issue with the malicious use of Cloudflared, GuidePoint says, is that the tool does not store logs and the activity can only be viewed in real-time, if an administrator has access to the process in a command prompt or terminal. If the command used to establish a tunnel has been observed, security teams could re-run it to identify existing Public Hostname configurations, but this temporarily exposes the host running the command to the attackers, who may take steps to protect themselves. However, because Cloudflared does make specific queries, network defenders may look for those to identify the unexpected or unauthorized use of this tool. "Organizations using Cloudflare services legitimately could potentially limit their services to specific data centers and generate detections for traffic like Cloudflared tunnels that route to anywhere except their specified data centers. This method might aid in the detection of unauthorized tunnels," GuidePoint notes. Related: This New Era of Security Requires Secure Networking, Vendor Consolidation, and Focus on OT Related: Attackers Abuse Kubernetes RBAC to Deploy Persistent Backdoor Related: Hackers Can Abuse Legitimate Features to Hijack Industrial Controllers [Ionut-Argh] Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire * Threat Actors Abuse Cloudflare Tunnel for Persistent Access, Data Theft * Points.com Vulnerabilities Allowed Customer Data Theft, Rewards Program Hacking * Five Eyes Agencies Call Attention to Most Frequently Exploited Vulnerabilities * Jericho Security Raises $3 Million for Awareness Training Powered by Generative AI * Dozens of RCE Vulnerabilities Impact Milesight Industrial Router * Decommissioned Medical Infusion Pumps Expose Wi-Fi Configuration Data * Google Awards Over $60,000 for V8 Vulnerabilities Patched With Chrome 115 Update * New hVNC macOS Malware Advertised on Hacker Forum Latest News * A Cyberattack Has Disrupted Hospitals and Health Care in Five States * In Other News: Cybersecurity Funding Rebounds, Cloud Threats, BeyondTrust Vulnerability * Threat Actors Abuse Cloudflare Tunnel for Persistent Access, Data Theft * Microsoft Criticized Over Handling of Critical Power Platform Vulnerability * Points.com Vulnerabilities Allowed Customer Data Theft, Rewards Program Hacking * New York Couple Plead Guilty to Bitcoin Laundering * Exploitation of Ivanti EPMM Flaw Picking Up as New Vulnerability Is Disclosed * Five Eyes Agencies Call Attention to Most Frequently Exploited Vulnerabilities [SecurityWe] Click to comment Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. [ ] [Subscribe] Webinar Beyond VPN Replacement: Other ZTNA superpowers CISOs Should Know Tuesday, August 22, 2023 Join security experts as they discuss ZTNA's untapped potential to both reduce cyber risk and empower the business. Register Webinar: Scaling Software Supply Chain Security: Driving Actionable SBOM Management with the OpenSSF S2C2F OSS Specification Thursday, September 7, 2023 Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain. Register Expert Insights The Good, the Bad and the Ugly of Generative AI [Marc-Solomon_Bio] Thinking through the good, the bad, and the ugly now is a process that affords us "the negative focus to survive, but a positive one to thrive." (Marc Solomon) Cybersecurity Public-Private Partnership: Where Do We Go Next? [Derek-Manky-Fort] Sharing threat information and cooperating with other threat intelligence groups helps to strengthen customer safeguards and boosts the effectiveness of the cybersecurity sector overall. (Derek Manky) 10 Steps to Help Secure Your APIs [Josh-Goldfarb-F5] Securing APIs is a noble, though complex journey. Security teams can leverage these 10 steps to help secure their APIs. (Joshua Goldfarb) Embracing Consolidation and Squashing Silos [Matt-Wilson_Neto] While silos pose significant dangers to an enterprise's cybersecurity posture, consolidation serves as a powerful solution to overcome these risks, offering improved visibility, efficiency, incident response capabilities, and risk management. (Matt Wilson) MOVEit: Testing the Limits of Supply Chain Security [Torsten-George] The need for cyber resilience arises from the growing realization that traditional security measures are no longer enough to protect systems, data, and the network from compromise. (Torsten George) * * * * * + Flipboard + Reddit + Pinterest + Whatsapp + Whatsapp + Email Related Content Ransomware Alerts Ransomware Alerts Cybercrime Cyber Insights 2023 | Ransomware The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions. Kevin TownsendFebruary 2, 2023 Comodo Forums Hacked via Recently Disclosed vBulletin Vulnerability Cybercrime Comodo Forums Hacked via Recently Disclosed vBulletin Vulnerability A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the... Eduard KovacsOctober 1, 2019 Stop, Collaborate and Listen: Disrupting Cybercrime Networks Requires Private-Public Cooperation Cybercrime Stop, Collaborate and Listen: Disrupting Cybercrime Networks Requires Private-Public Cooperation No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base. Derek MankyFebruary 1, 2023 Microsoft OneNote Abuse for Malware Delivery Surges Malware & Threats Microsoft OneNote Abuse for Malware Delivery Surges Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns. Ionut ArghireFebruary 10, 2023 VMware zero-day CVE-2023-20867 exploited VMware zero-day CVE-2023-20867 exploited Malware & Threats VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021. Eduard KovacsFebruary 6, 2023 Play Ransomware Group Used New Exploitation Method in Rackspace Attack Cybercrime Play Ransomware Group Used New Exploitation Method in Rackspace Attack The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this... Eduard KovacsJanuary 5, 2023 Recently Patched IBM Aspera Faspex Vulnerability Exploited in the Wild Malware & Threats Recently Patched IBM Aspera Faspex Vulnerability Exploited in the Wild A vulnerability affecting IBM's Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks. Eduard KovacsFebruary 15, 2023 VMware Patches VM Escape Flaw Exploited at Geekpwn Event Application Security VMware Patches VM Escape Flaw Exploited at Geekpwn Event Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine... Ryan NaraineDecember 13, 2022 SecurityWeek * * * Popular Topics * Cybersecurity News * Industrial Cybersecurity Security Community * Virtual Cybersecurity Events * Webcast Library * CISO Forum * ICS Cybersecurity Conference * Cybersecurity Newsletters Stay Intouch * Cyber Weapon Discussion Group * RSS Feed * Security Intelligence Group About SecurityWeek * Advertising * Event Sponsorships * Writing Opportunities * Feedback/Contact Us News Tips Got a confidential news tip? We want to hear from you. Submit Tip Advertising Reach a large audience of enterprise cybersecurity professionals Contact Us Daily Briefing Newsletter Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox. [ ] [Subscribe] * Privacy Policy Copyright (c) 2023 SecurityWeek (r), a Wired Business Media Publication. All Rights Reserved. Close