[HN Gopher] Threat actor abuses Cloudflare tunnels to deliver re...
___________________________________________________________________
Threat actor abuses Cloudflare tunnels to deliver remote access
trojans
Author : luu
Score : 115 points
Date : 2024-08-01 18:57 UTC (4 hours ago)
(HTM) web link (www.proofpoint.com)
(TXT) w3m dump (www.proofpoint.com)
| dang wrote:
| [stub for offtopicness. title casing software begs forgiveness.]
| LoganDark wrote:
| I thought this was a terrible pun about using tunnels to
| deliver rodents, not delivering remote access trojans. I don't
| know which I would have liked better
| barryrandall wrote:
| Rodent-over-IP would be a fascinating read.
| CamelCaseName wrote:
| Now everyone knows my YC 25 idea
| cedws wrote:
| It would never receive funding, viruses spread too
| quickly.
| chatmasta wrote:
| There's actually a (really superb) Rust library/program for
| creating reverse tunnels over TCP, that's called Rathole
| [0]. We used it [1] at my last startup and were mildly
| worried that one day we'd need to explain to a security
| auditor why we had a dependency called "rathole..."
|
| [0] https://github.com/rapiz1/rathole
|
| [1] https://www.splitgraph.com/jumpstart/tunnel
| teddyh wrote:
| Remote Access Trojans, not rodents.
| mikestew wrote:
| Original title has "RATs", but that seemed to have gotten
| edited/autocorrected away when it got to HN. Because, damn,
| _that's_ a hack I want to read about.
| stavros wrote:
| I was really eager to see how they delivered rodents via
| Cloudflare, but my hopes were dashed.
| robertlagrant wrote:
| This is why we can't have nice things.
| jsheard wrote:
| If history is any indication you can probably keep having the
| nice thing, because CF tends to look the other way when bad
| actors abuse their infrastructure.
| dingnuts wrote:
| oh really? according to who? and for what business purpose?
| jsheard wrote:
| Of the 10 highest ranked "stresser" (DDoS-for-hire)
| services on DuckDuckGo right now, 9 of them are using
| Cloudflare.
|
| jetstress.net - Cloudflare
|
| maxstresser.com - Cloudflare
|
| neostress.cc - Cloudflare
|
| quezstresser.ru - Cloudflare
|
| rawstresser.net - Cloudflare
|
| stresse.net - Cloudflare
|
| stresser.su - Cloudflare
|
| stresser.zone - Cloudflare
|
| stresserst.su - DDoSGuard
|
| sunnystresser.com - Cloudflare
|
| I could keep going but you get the point. This has been
| ongoing for years and they consistently ignore abuse
| reports.
|
| Given that CFs bread and butter is selling DDoS
| mitigation this is a blatant conflict of interest.
| robertlagrant wrote:
| Is the problem that the stressor services don't have
| robust KYC?
| jsheard wrote:
| Legit load testing services like loader.io require you to
| prove you own the site you are targeting, yes.
| "Stressers" let you point their orbital laser at whatever
| you want, they might _say_ it 's only meant for use
| against your own servers but that's just an ass-covering
| pretense.
| robertlagrant wrote:
| Sure. But that's what I'm asking. Why blame Cloudflare
| rather than the companies themselves?
| jsheard wrote:
| DDoS providers and other for-profit miscreants are
| incentivized to DDoS each other into oblivion, and
| Cloudflare is the only one of the giant mitigation
| providers who are willing to protect them from their
| competition. There are bulletproof alternatives like
| DDoSGuard but their network is absolutely nowhere near as
| expansive as CFs is, nor is it free to use, nor do they
| have enough legit customers to rule out blocking their
| entire ASN in a corporate filewall to stop phishing
| attacks. CFs share of the blame is for making bad actors
| lives much easier than it should be.
| duskwuff wrote:
| That would imply that those services have legitimate use
| cases. Most of them don't, and they're well aware of it.
| readyplayernull wrote:
| > Given that CFs bread and butter is selling DDoS
| mitigation this is a blatant conflict of interest.
|
| There is no conflict when the goal is making money.
| They'll be glad to look the other way.
| notamy wrote:
| https://arstechnica.com/security/2024/07/cloudflare-once-
| aga...
| r1ch wrote:
| Search for "stress tester" and almost every ddos-for-hire
| site you find will be protected by Cloudflare.
| dingnuts wrote:
| so report them? this is like complaining that their
| domains are registered by GoDaddy, or their packets are
| delivered through the Internet by hurricane electric, or
| their local power company keeps their lights on
| jsheard wrote:
| From what I've heard, if you send an abuse report to
| Cloudflare they just forward it to the owner of the
| service you are reporting, without redacting any personal
| information you provided, opening you up to reprisal.
| They won't actually do anything unless legally mandated
| to.
| ziddoap wrote:
| > _They won 't actually do anything unless legally
| mandated to._
|
| This is a good thing, and pretty refreshing compared to
| the kafka-esque scenarios that Google and others offer
| when shutting down entire businesses based on the whims
| of some blackbox AI detection system or fraudulent DMCA
| notice.
| janc_ wrote:
| The more DDoS there are, the more business CF gets. Take
| your own conclusions...
| twisteriffic wrote:
| Cloudflare has been in front of _every_ phishing site
| targeting my org for the past year. Their response to
| reports is always "we're just a pass through, not our
| problem". The attackers know that CF won't take action
| against them, and that using CF will slow down any
| response or takedown request.
| lovethevoid wrote:
| Unless CF is actually hosting the site, which is rare,
| the most they can do is no longer act as pass through. In
| which case, your problem isn't actually solved, they just
| move to another provider who offers similar.
|
| You instead want to be talking to browser and search
| engine providers and reporting there, as well as your
| government for illegal activities.
| twisteriffic wrote:
| They aren't a passthrough, though. That wouldn't be a
| valuable service. They're providing a service to
| criminals that assists them in fraud, and refusing to
| take any action when notified. It adds hours or days to a
| takedown process. It's like they're standing outside the
| mall handing the bike thieves branded hacksaws.
|
| We've had better luck getting random Moldovan ISPs to
| shut down service than we've had in getting CloudFlare to
| give a damn.
| lovethevoid wrote:
| They are quite literally a MITM passthrough. The example
| you used doesn't make any sense either, it would be more
| like them handing everyone hacksaws and you getting mad
| at them over the fact some people are using them for bad
| things.
|
| Again, get a court order and they'll take action. They
| are legally required to. Random Moldovan ISPs don't
| operate at the scale CF does, no wonder they were faster.
| Probably also easier to bribe as well ;)
| janc_ wrote:
| The fact that they block some people from accessing the
| websites behind their service negates their claims to be
| "just a passthrough"...
| mschuster91 wrote:
| > Unless CF is actually hosting the site, which is rare,
| the most they can do is no longer act as pass through. In
| which case, your problem isn't actually solved, they just
| move to another provider who offers similar.
|
| Well, if at least the Big Five (CF, Akamai, AWS, GCP,
| Azure) could get their shit together and cooperate
| against the bad actors, using netblocks against hostile
| IP ranges (both egress and ingress) could start making
| sense again.
| jonathantf2 wrote:
| I find that the domain registrar takes action more often
| than not (I guess because they're bound to ICANN's
| regulations), then the moment the domain is stopped
| Cloudflare sends an automated e-mail saying that they
| don't host the website because the DNS records stopped
| resolving.
| ozr wrote:
| Good. It should require a court order to take someone
| offline.
| jsheard wrote:
| I think we both know that bad actors can spin up new
| Cloudflare accounts a few order of magnitudes faster than
| the courts can take action against just one.
|
| It's not much of an ask to _at least_ keep DDoS providers
| out, even from a free speech absolutist position it 's a
| stretch to say that DDoS should be protected speech.
| lcnPylGDnU4H9OF wrote:
| I think the suggestion in the parent comment leaves room
| for a court order that bars providing service to certain
| individuals/organizations.
| jsheard wrote:
| That would require Cloudflare to have a KYC policy which
| exposes the individual/organization behind an account,
| and they don't do that either.
|
| If DDoS4U gets banned they can just rebrand as DDoS4Less
| and CF is (willingly?) none the wiser that it's the same
| people behind it.
| ensignavenger wrote:
| Malicious actors could spin up new accounts whether or
| not CF bans malicious accounts without a court order.
| Requiring a court order would have no bearing on CF's
| ability to prevent duplicate accounts.
| thefifthsetpin wrote:
| KYC := know your customer
| mozman wrote:
| aka get their real id
| cortesoft wrote:
| That sort of court order would end this entire product
| feature. You can't have accountless tunnels if you have
| to be able to bar specific individuals or organizations.
| lovethevoid wrote:
| DDoS isn't protected by Cloudflare and is already
| illegal, hence the court orders which get them to act.
|
| What you are asking for is KYC to be implemented.
| gnfargbl wrote:
| Is that so unreasonable? If I agree to forward someone's
| mail you would probably expect me to do some basic sanity
| checks in order to establish whether I am likely to be
| forwarding IRS documentation or anthrax. Why does the
| internet always get a pass on established societal norms?
| lovethevoid wrote:
| Depends on if you're ok with the tradeoffs of KYC as they
| require comprehensive identity verification, and
| depending on service changes to structure to adhere to a
| per-person account model.
| scrame wrote:
| court order by who?
| 01HNNWZ0MV43FF wrote:
| I have to provide services to anyone with money?
| xyst wrote:
| Just don't piss off Prince or {current_cf_ceo}, and you
| will be fine [1]
|
| [1] https://www.businessinsider.com/the-daily-stormer-got-
| pushed...
| tonetegeatinst wrote:
| Counter argument and hear me out please.
|
| Just because a few bad actors cause harm shouldn't mean
| everyone should be losing rights and giving up bits of their
| freedom because someone ruined it for everyone else.
|
| Didn't matter what it is: weapons, or fireworks, or even the
| right to code. Sacrifice of everyone's rights and freedom to
| choose all in the name of reducing the odds of something
| happening seems odd. The very regulation of what someone can
| and can not do, while it might theoretically reduce risk (an
| argument for correlation not causation exists here) can't
| possibly oughtweigh the fact your restricting people free
| will and autonomy. The constant regulation and restriction of
| thing is our life only stifle innovation, act as barriers to
| entry, and force the creativity out of peoples lives.
| CodeWriter23 wrote:
| I call it optimizing for the corner cases.
| ASalazarMX wrote:
| Original title was "Threat Actor Abuses Cloudflare Tunnels to
| Deliver Rats", and even if I knew about malware through
| Cloudflare tunnels, it got my hopes too high.
| rolph wrote:
| this reminds me of when those AOL free trial account disks were
| all over the place. in many circles an AOL subdomain would get
| instabanned
| mrinfinitiesx wrote:
| Even the *.ipt.aol.com ban was needed because one AOLer would
| use the HOST.ipt.aol.com rdns to ban evade and ruin it for
| everybody.
|
| Prodigy / CompuServe / Blue Light gang checking in
| PhilipRoman wrote:
| Getting a bit tired of these headlines about malware "delivery"
| via link shorteners or similar. Yeah, guess what - people can
| host files on the internet in various ways, what a shocker.
| tw04 wrote:
| This isn't a link shortener - this is a tunnel so that a user
| sees they're connecting to cloud flare, even though on the
| back-end they are landing somewhere nefarious. The end-
| destination is completely hidden from the end-user (and any
| security stack their corporation may have in place).
|
| I don't think it's unreasonable for people to expect cloudflare
| to be policing their own service for malware when they're
| trying to pitch themselves as a security product.
| marcosdumay wrote:
| That's mildly valid. We can have some expectations for
| Cloudfare, but not that they outright police everybody that
| uses their service.
|
| At the same time, this is exactly some variation of the
| "random people have put malware on random internet locations"
| scare the GP was talking about. If "malware somewhere on the
| internet" is a problem, we have to fix what turns it into a
| problem, because we just won't fix this one.
| compootr wrote:
| > but not that they outright police everybody that uses
| their service.
|
| Same. I think they're getting too big to care, or even to
| attempt to do so.
| ThatMedicIsASpy wrote:
| There must be millions of piracy websites using them.
| Care was never there.
| tempest_ wrote:
| Why should they not be responsible for the things they
| allow on their service?
|
| (note that I don't necessarily agree but that statement is
| loaded)
| valand wrote:
| Must or mustn't they filter customers is a matter of law.
|
| However, putting the responsibility to mitigate this
| problem in its entirety is very inefficient and
| ineffective. If Cloudflare would have a team dedicated
| for this effort, bad actors would simply switch
| providers, beating $200k/year effort by couple clicks.
|
| Notice that the malware ultimately takes effect when the
| user executes the file.
|
| This sounds more like an interaction design problem that
| should be solved in the OS level; the OS interface is one
| of the logistical bottleneck for the malware delivery
| path.
| AnonymousPlanet wrote:
| If certain subdomains keep getting subverted, a valid
| response is to block all those subdomains, in this case
| *.trycloudflare.com. It's like IP ranges of countries that
| don't bother with policing malicious activity.
|
| The consequences for Cloudflare and it's legitimate users
| might be anything but mild.
| guizadillas wrote:
| oh no a tunneling service is used for tunneling /s
| paxys wrote:
| How is that different from...any website, storage service or
| hosting provider on the internet?
| taspeotis wrote:
| > and any security stack their corporation may have in place
|
| I mean if the security stack misses that (forgivable) but
| then allows this:
|
| > When executed, it establishes a connection to an external
| file share, typically via WebDAV, to download an LNK or VBS
| file. When executed, the LNK/VBS executes a BAT or CMD file
|
| It fucking sucks.
| willcipriano wrote:
| > user sees they're connecting to cloud flare
|
| I see am connecting to Comcast, it says so right on my modem.
| valand wrote:
| At this point --- and speaking for non power-user --- this
| should be an OS interaction design problem.
|
| Framing cloudflare as the enabler is missing the bigger
| picture.
|
| I remember back in the day I needed to turn off autoplay on
| Windows to not get accidentally infected by malicious drives.
|
| No one was insane enough to blame the CD-RW and flash drive
| manufacturers.
| xyst wrote:
| I wonder if those dreaded endpoint security programs (ie,
| ClownStrike) would have picked up on this type of attack.
|
| I guess this type of traffic would only get flagged if attackers
| were skids (ie, re-using known RATs)
| aio2 wrote:
| Clownstrike goes crazy
| lemax wrote:
| Isn't this what happens to every free quick tunnel product? Was
| kinda just waiting for this to play out. ngrok had nice zero
| friction tunneling when it came out but then they had to put
| everything behind a sign-up flow due to the same sort of abuse.
___________________________________________________________________
(page generated 2024-08-01 23:00 UTC)