Cybersecurity researchers have identified a concerning trend where threat actors are abusing Cloudflare’s tunneling service, Cloudflared, to distribute various Remote Access Trojans (RATs). This technique allows attackers to establish covert channels into compromised networks, effectively evading traditional security measures.
Understanding Cloudflare Tunnels
Cloudflare Tunnels, also known as Cloudflared, enable users to securely expose local servers to the internet without exposing their IP addresses. This service is designed to facilitate secure remote access and protect internal applications. However, cybercriminals have found ways to exploit this legitimate service for malicious purposes.
The Emergence of Malicious Use
Since February 2024, there has been a significant increase in the misuse of Cloudflare Tunnels by cybercriminals. These actors leverage the TryCloudflare feature, which allows the creation of temporary tunnels without requiring a Cloudflare account. This feature is intended for developers to test applications but has been co-opted by attackers to distribute malware.
Attack Methodology
The typical attack chain begins with phishing emails containing URLs or attachments that lead to internet shortcut (.URL) files. When executed, these shortcuts connect to external file shares, often via WebDAV, to download malicious LNK or VBS files. Executing these files triggers scripts that download and install Python packages, ultimately leading to the deployment of RATs such as Xworm, AsyncRAT, VenomRAT, GuLoader, and Remcos. In some instances, attackers use the search-ms protocol handler to retrieve LNK files from WebDAV shares. To maintain the illusion of legitimacy, a benign PDF is often displayed to the user during the process.
Scale and Impact
The scale of these campaigns varies, with message volumes ranging from hundreds to tens of thousands, impacting numerous organizations globally. The use of Cloudflare Tunnels provides attackers with a flexible and temporary infrastructure, making it challenging for defenders to detect and mitigate these threats. The ephemeral nature of the tunnels allows attackers to quickly set up and dismantle their operations, complicating traditional security measures that rely on static blocklists.
Detection and Mitigation Challenges
The legitimate nature of Cloudflare’s services makes it difficult for security teams to distinguish between authorized and malicious use. Attackers’ use of Python scripts for malware delivery is particularly notable. By packaging Python libraries and executable installers alongside the scripts, they ensure the malware can run on hosts without pre-installed Python environments. Organizations are advised to restrict the use of Python if it is not required for specific job functions.
Recommendations for Organizations
To defend against these sophisticated attacks, organizations should consider the following measures:
– Monitor Network Traffic: Implement monitoring for outgoing connections to .trycloudflare.com URLs and DNS requests for .argotunnel.com.
– Restrict External File Sharing: Limit access to external file-sharing services like WebDAV and SMB to known, allow-listed servers.
– Educate Employees: Conduct regular training sessions to help employees recognize phishing attempts and suspicious email content.
– Implement Advanced Detection Mechanisms: Utilize behavioral analysis and anomaly detection tools to identify unusual patterns indicative of tunnel abuse.
Conclusion
The exploitation of Cloudflare Tunnels by cybercriminals underscores the need for continuous vigilance and adaptation in cybersecurity practices. As attackers increasingly leverage legitimate services to mask their activities, organizations must enhance their detection capabilities and implement robust security measures to protect against these evolving threats.
