Threat actors have been discovered exploiting Cloudflare Tunnels to establish covert communication pathways from compromised systems, enabling them to maintain undetected access. Cloudflare Tunnels, known as cloudflared, function similarly to ngrok but offer greater usability, including TCP connectivity.
Researchers found that these tunnels, initially designed for securing connections between origin web servers and Cloudflare data centers, are being misused to hide web server IP addresses and thwart DDoS and brute-force attacks. This misuse provides an advantageous approach for threat actors to create footholds and execute covert activities on victim machines.
By leveraging the Cloudflare Dashboard, threat actors can enable and disable tunnel functionality as needed, allowing them to conduct operations on compromised hosts while minimizing exposure of their infrastructure.
For instance, remote desktop protocol (RDP) connectivity could be enabled temporarily to gather information from a victim machine before being disabled to evade detection. This technique also permits threat actors to exploit the tunnel’s Private Networks feature, gaining unauthorized access to a range of IP addresses within a local network.
Evidence of this technique’s deployment has surfaced, with cases of attackers downloading cloudflared as part of software supply chain attacks. Security experts suggest legitimate organizations could restrict Cloudflare services to specific data centers to help detect unauthorized tunneling.
To identify potential abuse of cloudflared, organizations are advised to implement comprehensive logging mechanisms that monitor for unusual commands, DNS queries, and outbound connections. Additionally, blocking attempts to download the executable can mitigate the risk associated with this emerging threat.