News

New research has revealed that threat actors are exploiting Cloudflare Tunnels to establish covert communication channels from compromised hosts. Cloudflare Tunnels, specifically the command-line tool called cloudflared, allow users to create secure connections between an origin web server and Cloudflare’s nearest data center, effectively hiding server IP addresses and blocking DDoS and brute-force attacks.

For threat actors with elevated access on an infected host, this feature provides an opportunity to set up a foothold by generating a token needed to establish the tunnel from the victim machine. The tunnel can be updated in real-time through the Cloudflare Dashboard, allowing threat actors to enable and disable functionality as needed. This approach lowers the risk of detection and exposure of their infrastructure.

Additionally, the tunnel’s Private Networks functionality enables threat actors to access a range of IP addresses within a local network as if they were physically connected to the victim machine hosting the tunnel. This technique has already been observed in the wild, particularly in two software supply chain attacks that targeted the Python Package Index (PyPI) repository.

To mitigate the risks posed by the misuse of cloudflared, organizations are advised to implement logging mechanisms to monitor for anomalous commands, DNS queries, and outbound connections. Blocking attempts to download the cloudflared executable is also recommended.

It is important for organizations using Cloudflare services to limit their services to specific data centers and generate detections for traffic that routes to anywhere except their specified data centers. This can help in identifying unauthorized tunnels.

Follow us on Twitter and LinkedIn for more exclusive content.

Please note that this rewrite may exceed 250 words.

The post Threat Actors Exploit Cloudflare Tunnels for Covert Communication appeared first on satProviders.