WARPscan | |
Type of Malware | Exploit Kit |
Country of Origin | Croatia |
Targeted Countries | United States |
Date of initial activity | 2023 |
Motivation | Financial Gain |
Attack Vectors | Software Vulnerabilities |
Overview
Cloudflare’s WARP service, designed as a VPN to enhance user security and optimize traffic, has been repurposed by malicious actors to hijack cloud services and launch cyberattacks. By leveraging WARP, attackers can mask their IP addresses, gaining access to vulnerable internet-facing services without detection. The exploitation of Cloudflare’s international backbone infrastructure allows these attacks to go unnoticed, making WARP a valuable tool for cybercriminals looking to avoid traditional IP tracking and firewall defenses.
Targets
Information
How they operate
At the core of the WARPscan attack is the abuse of Cloudflare’s infrastructure, which network administrators often trust due to its wide-scale adoption by legitimate services. Since many organizations whitelist Cloudflare’s IP ranges for business operations, attackers can take advantage of this trust. Instead of connecting through Cloudflare’s Content Delivery Network (CDN), malicious actors directly target IP addresses using WARP, allowing them to control both the transport and application layers during attacks. This obfuscation complicates the identification of the true attacker’s location and origin.
A significant case study involving the SSWW cryptojacking campaign highlights how WARP can be used to infiltrate Docker environments. Attackers gained initial access by exploiting exposed Docker containers and launched their attack by using the Cloudflare WARP service. The attackers executed commands within these containers, eventually deploying malware to hijack system resources for cryptocurrency mining. The SSWW malware was configured to stop competing miners, disable security measures like SELinux, and install persistent rootkits that remained undetected by traditional security solutions. By using Cloudflare’s WARP, attackers masked their activities, ensuring that their traffic appeared legitimate, further delaying detection and response efforts.
The anonymity afforded by WARP provides an advantage to cybercriminals in both cryptojacking and SSH brute-forcing campaigns. Attackers have transitioned from using well-known, often blacklisted Virtual Private Server (VPS) providers to Cloudflare WARP to exploit the “clean” IP ranges associated with Cloudflare, bypassing common security defenses. The ongoing attacks, which have surged in recent years, showcase the growing reliance on WARP to conduct opportunistic SSH attacks. These brute-force attacks focus on exploiting vulnerabilities in exposed services, such as the recently discovered CVE-2024-6387, using the cover of WARP to evade detection.
Despite the sophistication of these campaigns, they underscore the dangers of administrators and security teams blindly trusting all traffic from Cloudflare’s ASN. Improperly configured systems that allow unrestricted access to Cloudflare IP ranges may be vulnerable to these attacks. Therefore, organizations must adopt a defense-in-depth approach, ensuring that services like SSH use strong authentication measures and enforcing strict firewall rules that do not allow broad access to Cloudflare’s entire IP range.
In conclusion, the abuse of Cloudflare WARP in hijacking cloud services demonstrates how trusted infrastructure can be manipulated to conduct large-scale cyberattacks. The combination of anonymity, trusted IP ranges, and opportunistic exploitation makes this a potent method for launching attacks, and organizations need to adopt rigorous security practices to mitigate the risks posed by WARPscan campaigns.