Threat Actors Are Abusing Cloudflare Tunnel in New Effort to Use Legitimate Tools for Attacks

Nic Finn, Senior Threat Intel Consultant at GuidePoint Security, released new research, which you can read here identifying a new legitimate tool that threat actors are using to execute attacks – Cloudflare Tunnel, also known by its executable name, Cloudflared. 

Background: Cloudflared is functionally very similar to ngrok, an ingress-as-a-service tool that’s been used by Threat Actors for quite some time now. However, Cloudflared differs from ngrok in that it provides a lot more usability for free, including the ability to host TCP connectivity over Cloudflared. Additionally, Cloudflared provides the full suite of Access controls, Gateway configurations, Team Management, and User Analytics.

Why this Matters: This tool is a legitimate binary, supported on every major operating system, and the initial connection is initiated through an outbound HTTPS connection to Cloudflare-owned infrastructure, followed by data exchanged to tunnel connections over QUIC on port 7844. This means that most firewalls or network-based defenses will allow this traffic, as most firewall rules are far more relaxed toward outbound connections. Threat Actors don’t have to expose any of their infrastructure, except the token assigned to their tunnel, to anyone except Cloudflare prior to a successful connection, and their ability to modify the configuration of the tunnel in real time means post-breach analysis is severely limited if the TA covers their tracks. 

Leave a Reply

%d bloggers like this: