Cloudflare Tunnel increasingly abused by cybercriminals

Cloudflare Tunnel provides you with a secure way to connect your resources to Cloudflare without a publicly routable IP address. Cybercriminals are increasingly using this service to  keep their activities from being detected.

Cloudflare Tunnel, also known by its executable name, Cloudflared, reaches out to the Cloudflare Edge Servers by creating an outbound connection over HTTPS(HTTP2/QUIC), where the tunnel’s controller makes services or private networks accessible via Cloudflare console configuration changes. It’s used to allow external sources to directly access important services, including SSH (Secure Shell), RDP (Remote Desktop Protocol), SMB (server Message Block), and others.

Researchers have found that cybercriminals are shifting from using ngrok to Cloudflare Tunnel probably because it provides a lot more usability for free. It allows an attacker to execute a single command from a victim machine to establish a foothold and conduct further operations once they have achieved a foothold.

Once the tunnel is established, Cloudflared obtains the configuration and keeps it in the running process. All the victim will be able to find when the discreet communication channel is discovered is a unique tunnel token which will make them none the wiser. The attacker however is able to easily modify the tunnel configuration on the fly.

Since this tool is a legitimate binary which is supported on every major operating system, and the initial connection is initiated through an outbound HTTPS connection to Cloudflare-owned infrastructure, this method might prove to become even more popular among cybercriminals. It provides them with a tool to establish persistence when they need it, and to then turn it off when they don’t, in order to avoid being found out.

Because of the HTTPS connection and the port the data exchange takes place on (QUIC on port 7844), it is unlikely to be picked up by protection software like firewalls unless specifically instructed to do so.

As if that wasn’t worrying enough, the researchers found that they could abuse Cloudflare’s ‘Private Networks’ feature to access an entire range of internal IP addresses remotely once they established a tunnel to a single client (victim).

Mitigation

The researchers note that on the victim machine, RDP and SMB need to be enabled before attempting to connect. So, if you don’t need those, this is another good reason to disable them.

To detect unauthorized use of Cloudflare Tunnels, the researchers recommend that organizations monitor for specific DNS queries (as shared in the report) and use non-standard ports like 7844.