Hackers are increasingly abusing Cloudflare WARP to target and hijack cloud services, taking advantage of the VPN’s anonymity to evade detection. The SSWW campaign, a significant cryptojacking effort, has been identified using Cloudflare WARP to gain access to vulnerable Docker containers. By utilizing this VPN, attackers can obscure their real IP addresses and avoid direct connection to Cloudflare’s CDN, making it challenging to trace their origin. This strategy provides them with an additional layer of anonymity, complicating efforts to identify and mitigate the attacks.
The SSWW campaign’s modus operandi involves exploiting Docker containers with elevated permissions to deploy cryptojacking malware. Initial access is gained through Cloudflare WARP, after which attackers set up a Docker container with elevated privileges. The attackers then execute commands within this container, such as stopping competing mining services, disabling security features like SELinux, and installing the XMRig miner for cryptocurrency mining. The malware is designed to avoid detection by hiding its processes and optimizing performance to avoid detection by other security measures.
Researchers have noted that while Cloudflare WARP offers enhanced anonymity for attackers, the IP addresses of these attacks consistently trace back to Cloudflare’s data center in Zagreb, Croatia. This suggests that the attackers are using a scan server located there. Command-and-control (C2) servers, which facilitate the management of the malware, are hosted by a VPS provider in the Netherlands. The use of Cloudflare WARP’s anonymity is particularly effective against systems with overly permissive firewalls that trust all traffic from Cloudflare’s network.
To protect against such attacks, organizations are advised to adopt a comprehensive defense-in-depth strategy. This includes ensuring that SSH services are up to date and employ strong authentication mechanisms. Additionally, it is crucial to avoid exposing Docker containers directly to the internet, even if they are protected by a firewall. Security teams should also configure firewalls to block unauthorized IP ranges and monitor for signs of abnormal activity originating from VPN services like Cloudflare WARP.
Reference:
